Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1562677
MD5:	96a7b754ca8e8f35ae9e2b88b9f25658
SHA1:	ed24a27a726b87c1d5bf1da60527e5801603bb8e
SHA256:	21d262741b3661b4bf1569f744dc5b5e6119cfa4f0748b9c0fa240f75442cc50
Tags:	exeuser-Bitsight
Infos:

Detection

DarkTortilla, RHADAMANTHYS

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

Yara detected RHADAMANTHYS Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Switches to a custom stack to bypass stack traces

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains executable resources (Code or Archives)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

file.exe (PID: 7472 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 96A7B754CA8E8F35AE9E2B88B9F25658)

computerlead.exe (PID: 7492 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe MD5: 2354E800EEFC681A7D60F3B6B28ACFD9)

rundll32.exe (PID: 1340 cmdline: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)

AddInProcess32.exe (PID: 380 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 3200 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 1340 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 884 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

fontdrvhost.exe (PID: 7916 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: 8D0DA0C5DCF1A14F9D65F5C0BEA53F3D)

fontdrvhost.exe (PID: 8124 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

WerFault.exe (PID: 6528 cmdline: C:\Windows\system32\WerFault.exe -u -p 8124 -s 136 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 8092 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 420 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search user.	Sandworm	https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/ https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/ https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

Threatname: Rhadamanthys

{"C2 url": "https://104.37.175.218:7982/da03ab84e7f8187e6/o304l70l.g00ox"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.2938052510.00000000056B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000012.00000003.2941844125.0000000000760000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000012.00000003.2946060481.0000000004D00000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000012.00000002.3046180127.0000000000A30000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000012.00000003.2945665948.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000010.00000002.2946578088.0000000001610000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000001.00000002.2931668884.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: computerlead.exe PID: 7492	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: computerlead.exe PID: 7492	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: fontdrvhost.exe PID: 7916	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.computerlead.exe.56b0000.2.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
1.2.computerlead.exe.56b0000.2.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
18.3.fontdrvhost.exe.4ae0000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
18.3.fontdrvhost.exe.4ae0000.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
18.3.fontdrvhost.exe.4d00000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
18.3.fontdrvhost.exe.4ae0000.6.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
18.3.fontdrvhost.exe.4ae0000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 2 entries

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 7472, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

Suricata Signatures

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T21:35:29.048247+0100	2854802	1	Domain Observed Used for C2 Detected	104.37.175.218	7982	192.168.2.6	49910	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe

Avira: detection malicious, Label: HEUR/AGEN.1358047

Found malware configuration

Source: 00000001.00000002.2936405362.00000000044F8000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://104.37.175.218:7982/da03ab84e7f8187e6/o304l70l.g00ox"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe

ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7E5E046E8 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,

0_2_00007FF7E5E046E8

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: wextract.pdb source: file.exe
Source:	Binary string: wextract.pdbGCTL source: file.exe
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: computerlead.exe, 00000001.00000002.2938052510.00000000056B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: fontdrvhost.exe, 00000012.00000003.2945316096.0000000004C00000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2945134717.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: fontdrvhost.exe, 00000012.00000003.2945665948.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2946060481.0000000004D00000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: fontdrvhost.exe, 00000012.00000003.2943041755.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2943531107.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: fontdrvhost.exe, 00000012.00000003.2944071441.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2944366502.0000000004C80000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: fontdrvhost.exe, 00000012.00000003.2943041755.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2943531107.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: fontdrvhost.exe, 00000012.00000003.2944071441.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2944366502.0000000004C80000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: fontdrvhost.exe, 00000012.00000003.2945316096.0000000004C00000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2945134717.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: fontdrvhost.exe, 00000012.00000003.2945665948.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2946060481.0000000004D00000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7E5E026B8 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

0_2_00007FF7E5E026B8

Source: C:\Windows\System32\fontdrvhost.exe

Code function: 4x nop then dec esp

22_2_000001BE066E0511

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 104.37.175.218:7982 -> 192.168.2.6:49910

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://104.37.175.218:7982/da03ab84e7f8187e6/o304l70l.g00ox

Source: global traffic

TCP traffic: 192.168.2.6:49910 -> 104.37.175.218:7982

Source: Joe Sandbox View

ASN Name: MAJESTIC-HOSTING-01US MAJESTIC-HOSTING-01US

Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218
Source: unknown	TCP traffic detected without corresponding DNS query: 104.37.175.218

Source: Amcache.hve.24.dr	String found in binary or memory: http://upx.sf.net
Source: fontdrvhost.exe, fontdrvhost.exe, 00000016.00000002.3129592218.000001BE066E0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://104.37.175.218:7982/da03ab84e7f8187e6/o304l70l.g00ox
Source: fontdrvhost.exe, 00000012.00000003.3045309813.0000000004DBB000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000016.00000002.3129592218.000001BE066E0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://104.37.175.218:7982/da03ab84e7f8187e6/o304l70l.g00oxkernelbasentdllkernel32GetProcessMitigat
Source: fontdrvhost.exe, 00000012.00000002.3045753092.000000000038C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://104.37.175.218:7982/da03ab84e7f8187e6/o304l70l.g00oxx
Source: fontdrvhost.exe, 00000012.00000003.2975846507.0000000004A4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-query
Source: fontdrvhost.exe, 00000012.00000003.2975846507.0000000004A4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi

Source: fontdrvhost.exe, 00000012.00000003.2945665948.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_5d029216-b

Source: fontdrvhost.exe, 00000012.00000003.2945665948.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_817dd6f5-0

Source: Yara match	File source: 18.3.fontdrvhost.exe.4ae0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.fontdrvhost.exe.4ae0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.fontdrvhost.exe.4d00000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.fontdrvhost.exe.4ae0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.fontdrvhost.exe.4ae0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000003.2946060481.0000000004D00000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2945665948.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 7916, type: MEMORYSTR

Source: C:\Windows\System32\fontdrvhost.exe	Code function: 22_2_000001BE066E1AA4 NtAcceptConnectPort,NtAcceptConnectPort,	22_2_000001BE066E1AA4
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 22_2_000001BE066E1CF4 NtAcceptConnectPort,CloseHandle,	22_2_000001BE066E1CF4
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 22_2_000001BE066E0AC8 NtAcceptConnectPort,NtAcceptConnectPort,	22_2_000001BE066E0AC8
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 22_2_000001BE066E15C0 NtAcceptConnectPort,	22_2_000001BE066E15C0

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe

Code function: 1_2_08B7DDE8 CreateProcessAsUserW,

1_2_08B7DDE8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7E5E07FE4 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,		0_2_00007FF7E5E07FE4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7E5E033BC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,		0_2_00007FF7E5E033BC

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7E5E05810	0_2_00007FF7E5E05810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7E5E01A08	0_2_00007FF7E5E01A08
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7E5E04BE0	0_2_00007FF7E5E04BE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7E5E05B50	0_2_00007FF7E5E05B50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7E5E0521C	0_2_00007FF7E5E0521C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7E5E0721C	0_2_00007FF7E5E0721C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7E5E04BDE	0_2_00007FF7E5E04BDE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7E5E033BC	0_2_00007FF7E5E033BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7E5E078AE	0_2_00007FF7E5E078AE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_018046A0	1_2_018046A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_031B0DB0	1_2_031B0DB0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_031B2F40	1_2_031B2F40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_0799D798	1_2_0799D798
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_0799C700	1_2_0799C700
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_0799EC30	1_2_0799EC30
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_07990460	1_2_07990460
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_0799E3A8	1_2_0799E3A8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_07990929	1_2_07990929
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_0799D787	1_2_0799D787
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_0799EF70	1_2_0799EF70
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_07993690	1_2_07993690
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_0799C6F9	1_2_0799C6F9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_07993679	1_2_07993679
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_0799EC20	1_2_0799EC20
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_07998448	1_2_07998448
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_0799E366	1_2_0799E366
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B76CE0	1_2_08B76CE0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B7CCE8	1_2_08B7CCE8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B79058	1_2_08B79058
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B70040	1_2_08B70040
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B735A8	1_2_08B735A8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B78518	1_2_08B78518
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B70EE0	1_2_08B70EE0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B7E670	1_2_08B7E670
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B7E368	1_2_08B7E368
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B728A8	1_2_08B728A8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B72899	1_2_08B72899
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B77CF8	1_2_08B77CF8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B77CE8	1_2_08B77CE8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B76CD2	1_2_08B76CD2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B740DD	1_2_08B740DD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B70006	1_2_08B70006
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B73400	1_2_08B73400
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B71460	1_2_08B71460
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B79048	1_2_08B79048
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B71DB9	1_2_08B71DB9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B735A2	1_2_08B735A2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B73188	1_2_08B73188
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B71DC8	1_2_08B71DC8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B7ED08	1_2_08B7ED08
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B78508	1_2_08B78508
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B73178	1_2_08B73178
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B74158	1_2_08B74158
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B7AD48	1_2_08B7AD48
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B7C6A8	1_2_08B7C6A8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B70E01	1_2_08B70E01
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B72BA8	1_2_08B72BA8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B72B98	1_2_08B72B98
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B733F2	1_2_08B733F2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B72F50	1_2_08B72F50
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B72F41	1_2_08B72F41
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_08B7BF40	1_2_08B7BF40
Source: C:\Windows\System32\fontdrvhost.exe	Code function: 22_2_000001BE066E0C70	22_2_000001BE066E0C70

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 420

Source: file.exe

Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 821649 bytes, 1 file, at 0x2c +A "computerlead.exe", ID 1653, number 1, 36 datablocks, 0x1503 compression

Source: file.exe	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs file.exe

Source: computerlead.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: computerlead.exe.0.dr, La53Z.cs

Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: computerlead.exe, 00000001.00000002.2936405362.00000000044F8000.00000004.00000800.00020000.00000000.sdmp, computerlead.exe, 00000001.00000002.2936405362.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, computerlead.exe, 00000001.00000002.2936405362.00000000045CF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000D.00000002.2551601895.0000000000399000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: .a_po^ ojYd.o B U.R G v.Q_F& ZNH K.9.sV`OQ qOq_A( N5.j P.X z.k.Yf_HL.P.L`.C Ue_q_B_t.h{_yr\=A f.3_q_Fvb_H_bm W.UP#.by_iY.Yw I.Y_G p.3c g.Zy S v.U.N C_m Z_i.H_j B l_DH_Pd.iz_O.f~ U z_Mv_d7 T Mz.f.594/}_m kS.v.D u.rZu.S G.N_x.V J.Q.G FO^.X<.6_fv.V ny.L,_E.2.m I_l.b$ Mx sZ.K! p.Y.U.V:U.89 R_H F3.d_R A UQ.C_y y Y Jb.Q_S.N.s< l_Ab~[_w9zV?!C9.N_HQ)*_n R.tP Ww_u aU;.V EPk Xr.Q0.y.A!]_b!7 g.R_pF.E_b o.o.q.o_E.T_rdfw.c}_ck.4.Y_w:_P.B(#`_xy_i.3_Y.A_N.q.6.YE_S_T.R H n.R_d_F.V.s_R68).I aL q.H b.W.Q!.r b_w c c$_va.X_v.tRm l.sln_D c! C.7_F m M_j6 zr.w F i}%_N.RB A7_wG_m.4_A#&.G mCx.Q_s N pTS.n.e C.4_v_C_Q.e J q7E V P.LP_Q.kTN_c.F.D gc.hT_s_Q1
Source: computerlead.exe, 00000001.00000002.2936405362.00000000044F8000.00000004.00000800.00020000.00000000.sdmp, computerlead.exe, 00000001.00000002.2936405362.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, computerlead.exe, 00000001.00000002.2936405362.00000000045CF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000D.00000002.2551601895.0000000000399000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: .tRm l.sln_D c! C.7_F m M_j6 zr.w F i}%_N.RB A7_wG_m.4_A#&.G mCx.Q_s N pTS.n.e C.4_v_

Source: classification engine

Classification label: mal100.troj.evad.winEXE@18/7@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7E5E07010 CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA,

0_2_00007FF7E5E07010

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7E5E033BC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,

0_2_00007FF7E5E033BC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7E5E05B50 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,

0_2_00007FF7E5E05B50

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7E5E05810 memset,memset,CreateEventA,SetEvent,CreateMutexA,GetLastError,CloseHandle,FindResourceExA,LoadResource,#17,

0_2_00007FF7E5E05810

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\computerlead.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8124
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-b94d4e13-ee73-4f205d-6f5803211868}

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"

Source: file.exe

ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 420
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\System32\fontdrvhost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8124 -s 136
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: file.exe
Source:	Binary string: wextract.pdbGCTL source: file.exe
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: computerlead.exe, 00000001.00000002.2938052510.00000000056B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: fontdrvhost.exe, 00000012.00000003.2945316096.0000000004C00000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2945134717.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: fontdrvhost.exe, 00000012.00000003.2945665948.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2946060481.0000000004D00000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: fontdrvhost.exe, 00000012.00000003.2943041755.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2943531107.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: fontdrvhost.exe, 00000012.00000003.2944071441.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2944366502.0000000004C80000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: fontdrvhost.exe, 00000012.00000003.2943041755.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2943531107.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: fontdrvhost.exe, 00000012.00000003.2944071441.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2944366502.0000000004C80000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: fontdrvhost.exe, 00000012.00000003.2945316096.0000000004C00000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2945134717.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: fontdrvhost.exe, 00000012.00000003.2945665948.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 00000012.00000003.2946060481.0000000004D00000.00000004.00000001.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 1.2.computerlead.exe.56b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.computerlead.exe.56b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2938052510.00000000056B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2931668884.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: computerlead.exe PID: 7492, type: MEMORYSTR

.NET source code contains method to dynamically call methods (often used by packers)

Source: computerlead.exe.0.dr, Qw4x7F.cs

.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[0]}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: computerlead.exe.0.dr, Qw4x7F.cs	.Net Code: f1G System.Reflection.Assembly.Load(byte[])
Source: computerlead.exe.0.dr, Qw4x7F.cs	.Net Code: f8ZQy5 System.Reflection.Assembly.Load(byte[])

Source: file.exe

Static PE information: 0xD97FD45F [Sun Aug 19 04:21:51 2085 UTC]

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7E5E01A08 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,

0_2_00007FF7E5E01A08

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_018071F8 pushfd ; retf	1_2_01807315
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_0799D682 push 9B0799D0h; iretd	1_2_0799D695
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_07998448 push FFFFFFC3h; ret	1_2_079986B5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Code function: 1_2_079972AD pushad ; ret	1_2_079972B3
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 18_3_003B6012 push 00000038h; iretd	18_3_003B601D
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 18_3_003B5606 pushad ; retf	18_3_003B5619
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 18_3_003B225D push eax; ret	18_3_003B225F
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 18_3_003B58BC pushad ; ret	18_3_003B58C1
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 18_3_003B588E push eax; iretd	18_3_003B589D
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 18_3_003B28ED push ebx; ret	18_3_003B28E4
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 18_3_003B18C0 push ebp; retf	18_3_003B18C1
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 18_3_003B4920 push 0000002Eh; iretd	18_3_003B4922
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 18_3_003B5F0C push es; iretd	18_3_003B5F0D
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 18_3_003B1179 push FFFFFF82h; iretd	18_3_003B117B
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 18_3_003B278B push ebx; ret	18_3_003B28E4
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 18_3_003B0FEA push eax; ret	18_3_003B0FF5
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Code function: 18_3_003B5FEE push FFFFFFD2h; retf	18_3_003B6011

Source: computerlead.exe.0.dr, s3JF.cs	High entropy of concatenated method names: 'Rn7s8N', 'MoveNext', 'f8MTe1', 'SetStateMachine', 'r0C2Qj', 'MoveNext', 'e2P9Lf', 'SetStateMachine', 'x8NHg2', 'i9G8'
Source: computerlead.exe.0.dr, r8C.cs	High entropy of concatenated method names: 'Nd', 'MoveNext', 'g1', 'SetStateMachine', 'Gi', 'Fy', 'm8', 'Ho', 'Fj', 'o0'
Source: computerlead.exe.0.dr, Qw4x7F.cs	High entropy of concatenated method names: 'r8T', 'Nt8', 'Pk0', 'p6C', 'f1G', 'x3Z', 'Cp7', 'a8D', 'y1B', 'Gj6'

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7E5E01D28 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,

0_2_00007FF7E5E01D28

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe

File opened: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe\:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: computerlead.exe PID: 7492, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	API/Special instruction interceptor: Address: 7FFDB442D044
Source: C:\Windows\SysWOW64\fontdrvhost.exe	API/Special instruction interceptor: Address: 7FFDB442D044
Source: C:\Windows\SysWOW64\fontdrvhost.exe	API/Special instruction interceptor: Address: 4CDB83A

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe

Section loaded: OutputDebugStringW count: 1939

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: fontdrvhost.exe, 00000012.00000002.3045986783.0000000000890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MP.EXEX64DBG.EXEX32DBG.E
Source: computerlead.exe, 00000001.00000002.2936405362.00000000044F8000.00000004.00000800.00020000.00000000.sdmp, computerlead.exe, 00000001.00000002.2936405362.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, computerlead.exe, 00000001.00000002.2936405362.00000000045CF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000D.00000002.2551601895.0000000000399000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: ORIGINALFILENAMECFF EXPLORER.EXE:
Source: fontdrvhost.exe, 00000012.00000002.3045986783.0000000000890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: computerlead.exe, 00000001.00000002.2936405362.00000000044F8000.00000004.00000800.00020000.00000000.sdmp, computerlead.exe, 00000001.00000002.2936405362.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, computerlead.exe, 00000001.00000002.2936405362.00000000045CF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 0000000D.00000002.2551601895.0000000000399000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INTERNALNAMECFF EXPLORER.EXE
Source: fontdrvhost.exe, 00000012.00000002.3045986783.0000000000890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: fontdrvhost.exe, 00000012.00000002.3045986783.0000000000890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EVERYWHERE.EXEFIDDLER.EXEIDA.EXEIDA64.EXEIMMU""<

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory allocated: 17A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory allocated: 32E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory allocated: 3120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory allocated: 8CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory allocated: 9CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory allocated: 9EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory allocated: AEA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory allocated: B260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory allocated: C260000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Window / User API: threadDelayed 2802			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Window / User API: threadDelayed 7020			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-2519

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -38000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -37874s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -37765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -37656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -37547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -37438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -37313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -37203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -37094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -36969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -36860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -36735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -36610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -36485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -36360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -36235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -36110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -35985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -35860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -35735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -35610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -35485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -35360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -35181s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -35016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -34891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -34781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -34672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -34553s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -34438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -34322s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -34216s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -34109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -34000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -33891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -33781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -33672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -33563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -33438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -33313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -33188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -33078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -32968s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -32859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -32745s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -32641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -32516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -32406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -32297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe TID: 7664	Thread sleep time: -32188s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7E5E026B8 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

0_2_00007FF7E5E026B8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7E5E041EC GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,

0_2_00007FF7E5E041EC

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 38000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 37874	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 37765	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 37656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 37547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 37438	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 37313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 37203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 37094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 36969	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 36860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 36735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 36610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 36485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 36360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 36235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 36110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 35985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 35860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 35735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 35610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 35485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 35360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 35181	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 35016	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 34891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 34781	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 34672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 34553	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 34438	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 34322	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 34216	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 34109	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 34000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 33891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 33781	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 33672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 33563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 33438	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 33313	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 33188	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 33078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 32968	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 32859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 32745	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 32641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 32516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 32406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 32297	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Thread delayed: delay time: 32188	Jump to behavior

Source: Amcache.hve.24.dr	Binary or memory string: VMware
Source: Amcache.hve.24.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.24.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.24.dr	Binary or memory string: VMware, Inc.
Source: computerlead.exe, 00000001.00000002.2938052510.00000000056B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
Source: Amcache.hve.24.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.24.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.24.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.24.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: fontdrvhost.exe, 00000012.00000002.3046069328.000000000093A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWi.csvl
Source: Amcache.hve.24.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: fontdrvhost.exe, 00000012.00000002.3046069328.000000000093A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.24.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.24.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.24.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.24.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.24.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.24.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.24.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.24.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: fontdrvhost.exe, 00000012.00000003.2946060481.0000000004D00000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: Amcache.hve.24.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.24.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.24.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.24.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: computerlead.exe, 00000001.00000002.2938052510.00000000056B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VBoxTrayS
Source: Amcache.hve.24.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.24.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.24.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.24.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.24.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.24.dr	Binary or memory string: VMware Virtual RAM
Source: fontdrvhost.exe, 00000012.00000003.2946060481.0000000004D00000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: Amcache.hve.24.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.24.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe

Code function: 1_2_01807FA0 CheckRemoteDebuggerPresent,

1_2_01807FA0

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00007FF7E5E01A08

Source: C:\Windows\SysWOW64\fontdrvhost.exe

Code function: 18_3_003B0283 mov eax, dword ptr fs:[00000030h]

18_3_003B0283

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7E5E01404 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00007FF7E5E01404
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7E5E0170E SetUnhandledExceptionFilter,		0_2_00007FF7E5E0170E

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 350000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 530000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 500000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 350000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 530000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 500000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 350000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 351000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 399000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 3C8000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 3CC000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 3CE000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 4DF008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 530000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 531000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 579000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 5A8000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 5AC000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 5AE000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 3B1008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 500000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 501000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 549000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 578000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 57C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 57E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 3E2008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 449000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 478000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 47C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 47E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 10A6008	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7E5E02590 LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,

0_2_00007FF7E5E02590

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7E5E018E4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

0_2_00007FF7E5E018E4

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7E5E07FE4 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,

0_2_00007FF7E5E07FE4

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.24.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.24.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.24.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.24.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.24.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000012.00000003.2941844125.0000000000760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3046180127.0000000000A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2946578088.0000000001610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000012.00000003.2941844125.0000000000760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3046180127.0000000000A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2946578088.0000000001610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	21 Input Capture	1 System Time Discovery	Remote Services	11 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	1 Valid Accounts	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	21 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	11 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	117 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	311 Process Injection	21 Software Packing	NTDS	431 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	151 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	311 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Hidden Files and Directories	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Rundll32	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	32%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
file.exe	100%	Avira	HEUR/AGEN.1358047
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	100%	Avira	HEUR/AGEN.1358047
C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Source	Detection	Scanner	Label
https://104.37.175.218:7982/da03ab84e7f8187e6/o304l70l.g00oxx	0%	Avira URL Cloud	safe
https://104.37.175.218:7982/da03ab84e7f8187e6/o304l70l.g00ox	0%	Avira URL Cloud	safe
https://104.37.175.218:7982/da03ab84e7f8187e6/o304l70l.g00oxkernelbasentdllkernel32GetProcessMitigat	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
https://104.37.175.218:7982/da03ab84e7f8187e6/o304l70l.g00ox	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://cloudflare-dns.com/dns-query	fontdrvhost.exe, 00000012.00000003.2975846507.0000000004A4B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.24.dr	false		high
https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi	fontdrvhost.exe, 00000012.00000003.2975846507.0000000004A4B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://104.37.175.218:7982/da03ab84e7f8187e6/o304l70l.g00oxkernelbasentdllkernel32GetProcessMitigat	fontdrvhost.exe, 00000012.00000003.3045309813.0000000004DBB000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000016.00000002.3129592218.000001BE066E0000.00000040.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://104.37.175.218:7982/da03ab84e7f8187e6/o304l70l.g00oxx	fontdrvhost.exe, 00000012.00000002.3045753092.000000000038C000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.37.175.218	unknown	United States		396073	MAJESTIC-HOSTING-01US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562677
Start date and time:	2024-11-25 21:33:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@18/7@0/1
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 61% Number of executed functions: 61 Number of non-executed functions: 37
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.190.177.23, 20.190.177.149, 20.190.147.11, 20.190.147.5, 20.190.147.9, 20.190.177.83, 20.190.177.84, 20.190.147.3, 13.89.179.12
Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, onedsblobprdcus17.centralus.cloudapp.azure.com, arc.msn.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ris.api.iris.microsoft.com, ocsp.digicert.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target fontdrvhost.exe, PID 7916 because there are no executed function
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
15:34:03	API Interceptor	216106x Sleep call for process: computerlead.exe modified
15:35:41	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.37.175.218	file.exe	Get hash	malicious	RHADAMANTHYS	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MAJESTIC-HOSTING-01US	file.exe	Get hash	malicious	RHADAMANTHYS	Browse	104.37.175.218
	doc_1000050408072024.js	Get hash	malicious	Remcos	Browse	191.101.130.5
	SLIM00260423 LIM-AMS-BOM.js	Get hash	malicious	Remcos	Browse	191.101.130.5
	Arrival_Notice_10008616062024.js	Get hash	malicious	AgentTesla	Browse	191.101.130.5
	1721804764a66192ba8849c107aecf73332780289e57101d88022de3de452c4d4afc349344344.dat-decoded.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	191.101.130.221
	INV-23072024.vbs	Get hash	malicious	AsyncRAT, DcRat	Browse	191.101.130.221
	11_deb64ed.exe	Get hash	malicious	Remcos	Browse	191.101.130.68
	Co0Wd0QVRU.exe	Get hash	malicious	Remcos, GuLoader	Browse	191.101.130.177
	172001946670b1e83321a2b0b2afa526495dda6118492d61c1dbccf1f24b87b00c0e2fc524979.dat-decoded.exe	Get hash	malicious	Remcos	Browse	191.101.130.177
	http://email.robly.com/ls/click?upn=IdEuq0w5NGjcvp67fJm0Fjx7zI0UoacAvfuhX8IXMfi-2FBcyVFfNBAnRRYn3xO-2B1CJBL1_x1qKbjhEBXTMhgFeszlbTPAP7pso9-2FxqCAo9mujVNdxRC-2Fe6szeUW2wUpsJPamXtYEX5TxNxvCL8y7P57m0ckeV4eInxu3K8zf4ZJir3swUgmhxHZ4ueQr8HlG-2FmusQJH6y7p25ps7Tk6J5qNmOony1meVnHS6SWYINya9roE9W5a8qQtJPhUrtwHjPNNr8-2FRq8ri-2Fd5oj6InCgVt40NRVo7kVkD4rXqnd5qh4hVxKxbkv-2B-2Bg5grednXpzEJrVoppO7kdIBlpx5FtxXkVy5jroHsBNlwPLvY7zHyi82KhBukRiMiFN-2Bq8Y5MIpQ3tDOtgM9smS8EBnUo-2BNczWmfSC7A0LEM5yvlMpWf2qtqc4I7FL0Pb-2FOBoG7nzLMuVBmfOyvltwMiXHcvatoR9WpKWTWbswWnOInmA3qfQw2YmDZYZTRlsjGJ1yVr4dcvvE98tzz8ObIb6wBOg-2BtttMS8VRCu3mc-2FvYkvjr5dNSCoVNCXZ0NX-2BlVkto2ZltzhjEciS#doc~mstewart@dsi.us	Get hash	malicious	Unknown	Browse	104.37.172.199

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_fontdrvhost.exe_d32c824e8915b30da4efd4eabd13e74e4ef8c1_ad0be647_0617501e-f2e0-4753-97d1-6002f83486ad\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6602110881556946
Encrypted:	false
SSDEEP:	96:atuHF03e8iqigKJDs3Wrk41yHpHS2QXIDcQkc6tcEycw3ZUtzJzQ+HbHgrZ2ZAXM:5SxiHnDxR0apYKjqzuiFhZ24lO8JO
MD5:	81EF546AF4F40DD2D7D23F1E5EF9E3F9
SHA1:	2E1F54C5018DF1FAEB695D53266E8957DA5F6BC5
SHA-256:	68B80ED1AB3BCEAC2F44DB31FDB89BCE339A6A1B0E2B951AF80A9492F6D29EAA
SHA-512:	71C3A7F26DAB1B9BC55C1F82FBF01F8FE8F3D3556DAB43F8549B70BD9223C900ECBC2A3CC43F23CDABEA89C82FAAEE6212D107576877FDAB120D380454845D43
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.0.4.0.5.3.6.5.3.3.6.9.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.0.4.0.5.3.6.8.1.4.9.5.5.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.6.1.7.5.0.1.e.-.f.2.e.0.-.4.7.5.3.-.9.7.d.1.-.6.0.0.2.f.8.3.4.8.6.a.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.9.e.c.f.f.b.2.-.8.2.6.0.-.4.a.c.4.-.b.4.3.f.-.5.0.2.8.a.3.6.5.0.5.3.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.f.o.n.t.d.r.v.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.f.o.n.t.d.r.v.h.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.b.c.-.0.0.0.1.-.0.0.1.5.-.e.3.7.b.-.4.e.9.3.7.9.3.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.5.e.f.b.3.f.9.7.3.4.2.b.a.1.9.5.4.2.4.1.3.4.f.2.8.f.9.7.7.d.a.9.e.0.d.6.a.a.9.1.!.f.o.n.t.d.r.v.h.o.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER837D.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Nov 25 20:35:36 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	46942
Entropy (8bit):	1.2971106828745593
Encrypted:	false
SSDEEP:	96:5H8IvqORdn9HyNaOK7i76rP0S9FTX2JLaidWIYbIgvlII0:y+q8MyO6rP0S9FD2sik9d0
MD5:	FF3F459C3FE26EA4E47BFF2D7DB3AD12
SHA1:	EBD4D3897BE5C7CB608B27FEDE0864B0F20CE687
SHA-256:	668B5F2AD2E0C138C45C632D14B82D16261B40C3BBA55C39F37CDA6B39AFF4CE
SHA-512:	91E79FD3AEB7B0AF3733F8388F1F32C7FC4EBA80B19B2CA98151B76219E157ED7A360DF4B2E7244A99A87F427E8176B6F2EFB23184CF11A16E22E9720498C9F1
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........Dg....................................$...2!..........T.......8...........T.......................................................................................................................eJ..............Lw......................T.............Dg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER83BC.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8816
Entropy (8bit):	3.693239224522388
Encrypted:	false
SSDEEP:	192:R6l7wVeJVRCw6YsCkuOgmfr57vHpD089bQO0f7wm:R6lXJzV6YpkuOgmfrFvzQFfJ
MD5:	167D51808F2B3494A9D349350537B222
SHA1:	70D2FEA02B16D840CFC04F0B3DC6314745C09166
SHA-256:	4D90617F7FCDE3941333421A730D27BE885AF438BB2CC4EB49B61EEAE75723C9
SHA-512:	07C50BA76E65D0195E1C8DDC8AE1E1E0E6088530654B8672278989B2C0C16088ACAA2D5FCF411D0E1BB48310F2539BD7B150355A17F9C7D828D1816CB59B0862
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.1.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER83EC.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4853
Entropy (8bit):	4.444610623113313
Encrypted:	false
SSDEEP:	48:cvIwWl8zsxJg771I9Ri7WpW8VYwPYm8M4Jk5LvM6Fri5Hoyq8vU5LvMnaMuKkFd:uIjfDI7GiK7V1SJcjMu6HoWsjMn1uKed
MD5:	94AA50AE90D8CE48BC4622DC1833A9FE
SHA1:	E2877F3D58B0E9721551AE5778A6357428225588
SHA-256:	BAF1765D11B80E1AA6D50F59AFE36BC6909ECE742C49FDDBE8E707C64F9BEFC6
SHA-512:	77BFAD05511EEE5B9296B6D6EFE276CEED5CC6B57BCB657A3C54F24C18293DDBCA357F9281E93127339BE85B9B68FA6D7C7F36FF2766B14B21AFC5855D033DF1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="604058" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\computerlead.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLU84qpE4KlKDE4KhKiKhIE4Kx1qE4qXKIE4oKNzKoZAE4Kze0E4j:Mgv2HKlYHKh3oIHKx1qHitHo6hAHKzea
MD5:	FB53815DEEC334028DBDE4E3660E26D0
SHA1:	7F491359EC244406DFC8AA39FC9B727D677E4FDF
SHA-256:	C3EC8D6C079B1940D82374A85E9DC41ED9FF683ADA338F89E375AA7AC777749D
SHA-512:	5CC466901D7911BE1E1731162CC01C371444AAFA9A504F1F22516F60C888048EB78B5C5A12215EE2B127BD67A19677E370686465E85E08BC14015F8FAB049E49
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1177088
Entropy (8bit):	6.702638857236006
Encrypted:	false
SSDEEP:	24576:gyjL5sl1ApXhfQfivGAlMv0YIw0McEH1+edJVVq9Oj:BLXRRvGnvsw0MrVbdFEk
MD5:	2354E800EEFC681A7D60F3B6B28ACFD9
SHA1:	10B6A3D9D2283B5F98C9924FA1FCA6DA79EDB720
SHA-256:	D3C21F6C3892F0C444FFB4B06F962CADDF68D2C3938BBD399A3056DB255007E3
SHA-512:	0395737B77891D8CF7761266C2B3D594DEB8E742BD5F12F15F58B2C161C242356B953EBF8CD1F41924A917B2C1332BD2E05EF275EFD2419A6134A60729195354
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 34%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....F"................................. ... ....@.. .......................`............`.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........................N..............................................."...2.-.u....Uo.!.m...g.T_.S.e\|.w.A(O..j..X.g0:.9....S.Y=.g....%.5..'N.:....3.8..........Q<.u.0U&...*.....x.;.N.......6.'.9.r:m>.r=....h...y.._..r1#.......O.....:.}.\..k.e.6S.....?...v:.8d0u.._G..A7...._..Z...\+......O....+.....#..X.?.L..8. .:..\|.........p\yI..'s..,.....5.'.r.... ..<....%.e^.B...:b....%...5.clW..O@.S.w.-..z.......o...$# ...#.I.P...!..@A.u...f.[.F.4.R.6.

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469550027615803
Encrypted:	false
SSDEEP:	6144:bzZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNqjDH5S:XZHtYZWOKnMM6bFpoj4
MD5:	040D263343B8CDC1FE2190B269E3E14D
SHA1:	57709A95AE7786A50A6C08B514B107511D3DC438
SHA-256:	A2F697586D13D312BC8F67C248D0ED724BF54861896354EB5B2EFA0C50902DE1
SHA-512:	DE6DB7AF14C22A7EDDCD143EEF5B68E8612BA87C2D9F97F645B8396B80115522C140E4901BD7102D24769F1B4A87863791AD2DAFBDC63CD8EBA14423359136AF
Malicious:	false
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..9.y?.............................................................................................................................................................................................................................................................................................................................................../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.828660572290537
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	954'368 bytes
MD5:	96a7b754ca8e8f35ae9e2b88b9f25658
SHA1:	ed24a27a726b87c1d5bf1da60527e5801603bb8e
SHA256:	21d262741b3661b4bf1569f744dc5b5e6119cfa4f0748b9c0fa240f75442cc50
SHA512:	facb2e44f5a506349710e9b2d29f6664357d057444a6bd994cf3901dee7bea471247b47496cc4480f1ad2fac4b1867117072ea7a0bfa83d55ced4e00dda96745
SSDEEP:	24576:XjeDC5sl1HpiZOD9/5uzt37m9lny1TX2k/EZ:XjQCILdozJ7ecX//E
TLSH:	2315011A2FA06D7AF8ECD37877A141B29233FCB113C442FB069C99685B329D054F256D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .'8d.Ikd.Ikd.Ik/.Lje.Ik/.Jjg.Ik/.Mjw.Ik/.Hju.Ikd.Hk..Ik/.Ajn.Ik/..ke.Ik/.Kje.IkRichd.Ik................PE..d..._............."

File Icon


Icon Hash:	92848e869e9a98a2

Static PE Info

General

Entrypoint:	0x140001150
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0xD97FD45F [Sun Aug 19 04:21:51 2085 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	4cea7ae85c87ddc7295d39ff9cda31d1

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FE964B88430h
dec eax
add esp, 28h
jmp 00007FE964B87CABh
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], edi
inc ecx
push esi
dec eax
sub esp, 000000B0h
and dword ptr [esp+20h], 00000000h
dec eax
lea ecx, dword ptr [esp+40h]
call dword ptr [000082A5h]
nop
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ebx, dword ptr [eax+08h]
xor edi, edi
xor eax, eax
dec eax
cmpxchg dword ptr [0000B9D2h], ebx
je 00007FE964B87CACh
dec eax
cmp eax, ebx
jne 00007FE964B87CBFh
mov edi, 00000001h
mov eax, dword ptr [0000B9C8h]
cmp eax, 01h
jne 00007FE964B87CBCh
lea ecx, dword ptr [eax+1Eh]
call 00007FE964B882C4h
jmp 00007FE964B87D29h
mov ecx, 000003E8h
call dword ptr [00008253h]
jmp 00007FE964B87C66h
mov eax, dword ptr [0000B9A3h]
test eax, eax
jne 00007FE964B87D05h
mov dword ptr [0000B995h], 00000001h
dec esp
lea esi, dword ptr [000084DEh]
dec eax
lea ebx, dword ptr [000084BFh]
dec eax
mov dword ptr [esp+30h], ebx
mov dword ptr [esp+24h], eax
dec ecx
cmp ebx, esi
jnc 00007FE964B87CD1h
test eax, eax
jne 00007FE964B87CD1h
dec eax
cmp dword ptr [ebx], 00000000h
je 00007FE964B87CBCh
dec ecx
mov edx, 5E523070h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa394	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf000	0xd9be2	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xe000	0x444	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe9000	0x30	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9a78	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9010	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9150	0x520	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7eb0	0x8000	8f5ddc5fa0c3119d30f7e00d7bfd48aa	False	0.547576904296875	data	6.109997796878264	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x2420	0x3000	79a5acf192c71ab3579d24a79e81e45b	False	0.3240559895833333	data	3.9065058401206216	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x1f00	0x1000	f198899505f620007167379f74f8141c	False	0.083251953125	data	1.0384025678015962	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xe000	0x444	0x1000	d87d18cc3448a50b581d9a9660a39914	False	0.164306640625	PEX Binary Archive	1.4622023798757706	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xf000	0xd9be2	0xda000	1b267e6f8e3ab83e809071c324a2f1f7	False	0.9432988997993119	data	7.9215398279967015	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe9000	0x30	0x1000	b86e33c1f7fc5de5ef683b7d6eea5c32	False	0.01806640625	data	0.11282277483477143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AVI	0xf698	0x2e1a	RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bpp	English	United States	0.2713099474665311
RT_ICON	0x124b4	0x2929	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9721932238777641
RT_ICON	0x14de0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	English	United States	0.09075342465753425
RT_ICON	0x19008	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.11597510373443984
RT_ICON	0x1b5b0	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 0	English	United States	0.13476331360946744
RT_ICON	0x1d018	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.15337711069418386
RT_ICON	0x1e0c0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.1737704918032787
RT_ICON	0x1ea48	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 0	English	United States	0.21046511627906977
RT_ICON	0x1f100	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.25886524822695034
RT_RCDATA	0x1f568	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x1f570	0xc8991	Microsoft Cabinet archive data, Windows 2000/XP setup, 821649 bytes, 1 file, at 0x2c +A "computerlead.exe", ID 1653, number 1, 36 datablocks, 0x1503 compression	English	United States	1.000098582241322
RT_RCDATA	0xe7f04	0x4	data	English	United States	3.0
RT_RCDATA	0xe7f08	0x24	data	English	United States	0.5833333333333334
RT_RCDATA	0xe7f2c	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0xe7f34	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0xe7f3c	0x4	data	English	United States	3.0
RT_RCDATA	0xe7f40	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0xe7f48	0x4	data	English	United States	3.0
RT_RCDATA	0xe7f4c	0x13	ASCII text, with no line terminators	English	United States	1.4210526315789473
RT_RCDATA	0xe7f60	0x4	data	English	United States	3.0
RT_RCDATA	0xe7f64	0x5	ASCII text, with no line terminators	English	United States	2.6
RT_RCDATA	0xe7f6c	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0xe7f74	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_GROUP_ICON	0xe7f7c	0x76	data	English	United States	0.7372881355932204
RT_VERSION	0xe7ff4	0x408	data	English	United States	0.42054263565891475
RT_MANIFEST	0xe83fc	0x7e6	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.37734915924826906

Imports

DLL	Import
ADVAPI32.dll	GetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
KERNEL32.dll	_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, LoadLibraryExA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, WaitForSingleObject, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, ExpandEnvironmentStringsA, LocalAlloc, lstrcmpA, FindNextFileA, GetCurrentProcess, FindFirstFileA, GetModuleFileNameA, GetShortPathNameA, Sleep, GetStartupInfoW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, EnumResourceLanguagesA, GetDiskFreeSpaceA, MulDiv, FindClose
GDI32.dll	GetDeviceCaps
USER32.dll	ShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetSystemMetrics, CallWindowProcA, SetWindowTextA, MessageBoxA, SendDlgItemMessageA, SendMessageA, GetDlgItem, DialogBoxIndirectParamA, GetWindowLongPtrA, SetWindowLongPtrA, SetForegroundWindow, ReleaseDC, EnableWindow, CharNextA, LoadStringA, CharPrevA, EndDialog, MessageBeep, ExitWindowsEx, SetDlgItemTextA, CharUpperA, GetDesktopWindow, PeekMessageA, GetDlgItemTextA
msvcrt.dll	?terminate@@YAXXZ, _commode, _fmode, _acmdln, __C_specific_handler, memset, __setusermatherr, _ismbblead, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, _XcptFilter, memcpy_s, _vsnprintf, _initterm, memcpy
COMCTL32.dll
Cabinet.dll
VERSION.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-25T21:35:29.048247+0100	2854802	ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert	1	104.37.175.218	7982	192.168.2.6	49910	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 21:35:27.599230051 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:27.719304085 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:27.719396114 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:27.719599962 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:27.839761019 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:28.927290916 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:28.928208113 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:29.048247099 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.292381048 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.301723003 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:29.421822071 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.681936026 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.681987047 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.681999922 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.682060957 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.682079077 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.682090998 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.682087898 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:29.682104111 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.682168007 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.682173014 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:29.682173014 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:29.682179928 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.682389975 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:29.690434933 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.690483093 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:29.693099022 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.693167925 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.693219900 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:29.802402973 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.802423000 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.802495003 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:29.883441925 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.883462906 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.883518934 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:29.887116909 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.887231112 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.887348890 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:29.894874096 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.894965887 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.895028114 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:29.902242899 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.902354002 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.902409077 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:29.910051107 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.910119057 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.910187006 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:29.917754889 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.917875051 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.918683052 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:29.925503969 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.925618887 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.926526070 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:29.935086966 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.935245037 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.935296059 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:29.941067934 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.941170931 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.941251040 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:29.952758074 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.952770948 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.952861071 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:29.958408117 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.958527088 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.958589077 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:29.965981960 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.966113091 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:29.966305971 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.088121891 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.088242054 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.088298082 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.090679884 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.090692997 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.090745926 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.095380068 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.095546007 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.095590115 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.100439072 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.100589991 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.100672960 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.105165005 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.105318069 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.105369091 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.110167980 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.110450983 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.110516071 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.114497900 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.114690065 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.114739895 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.118261099 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.118273973 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.118343115 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.121148109 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.121277094 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.121347904 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.126504898 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.126522064 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.126584053 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.130422115 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.130547047 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.130619049 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.136879921 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.136893034 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.137104034 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.141670942 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.141820908 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.142015934 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.145662069 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.145819902 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.145854950 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.150389910 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.150511980 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.150698900 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.155196905 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.155215025 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.155291080 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.159989119 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.160006046 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.160109043 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.164683104 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.164697886 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.164772034 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.169542074 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.169554949 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.169617891 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.174237013 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.174395084 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.174427986 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.179011106 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.179024935 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.179069042 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.183775902 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.183937073 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.183969975 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.188651085 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.188662052 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.188728094 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.210400105 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.210702896 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.210947037 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.285701036 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.285825968 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.285897970 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.287626982 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.287746906 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.287780046 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.291507006 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.291613102 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.291651964 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.295361996 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.295471907 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.295520067 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.299253941 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.299384117 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.299427986 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.303033113 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.303137064 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.306672096 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.306833982 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.306842089 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.306869030 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.310241938 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.310329914 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.310376883 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.313795090 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.313858986 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.313906908 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.317253113 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.317450047 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.317492008 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.320662022 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.320801973 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.320843935 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.324548960 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.324559927 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.324594975 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.327503920 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.327568054 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.327713966 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.330908060 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.331031084 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.331063986 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.334348917 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.334438086 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.334475994 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.337691069 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.337821007 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.337862015 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.341093063 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.341228962 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.341262102 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.342987061 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.343060017 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.343101978 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.344851017 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.344922066 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.344963074 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.346771955 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.346982002 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.347023010 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.348644018 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.348756075 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.350522995 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.350564957 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.350627899 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.350707054 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.352432966 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.352547884 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.352590084 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.354351997 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.354463100 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.354502916 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.356281042 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.356484890 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.356725931 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.358206987 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.358326912 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.358366013 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.360054016 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.360157967 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.360193968 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.361943007 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.362042904 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.362569094 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.363863945 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.363969088 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.364011049 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.365776062 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.365971088 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.366003036 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.367660046 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.367782116 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.367943048 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.369522095 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.369627953 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.370949984 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.371443033 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.371515989 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.371548891 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.373325109 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.373439074 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.373481989 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.375221968 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.375279903 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.375453949 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.377233028 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.377367020 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.378948927 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.379060984 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.379348993 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.379455090 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.380966902 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.381127119 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.382951021 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.382988930 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.383300066 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.383347988 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.384735107 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.384787083 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.384829044 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.486838102 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.486927032 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.487068892 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.487752914 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.487890005 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.487927914 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.489643097 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.490319014 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.490367889 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.490372896 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.492129087 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.492191076 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.492213011 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.493966103 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.494025946 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.494060040 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.495807886 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.495944977 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.495970964 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.497529984 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.497565031 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.497648001 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.499259949 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.499368906 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.499385118 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.500931025 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.500983000 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.501019001 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.502629042 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.502665043 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.502741098 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.504347086 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.504391909 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.504419088 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.505916119 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.506040096 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.506079912 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.507514000 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.507628918 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.507638931 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.509125948 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.509179115 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.509213924 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.510622025 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.510678053 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.510735035 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.512247086 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.512285948 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.512424946 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.513744116 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.513851881 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.513856888 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.515261889 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.515402079 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.515423059 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.516793966 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.516860962 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.516932964 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.518309116 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.518343925 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.518404007 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.519867897 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.519951105 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.519962072 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.521398067 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.521513939 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.521564007 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.522916079 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.522965908 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.523020029 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.524480104 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.524521112 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.524557114 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.526026011 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.526062012 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.526124954 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.527544975 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.527599096 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.527654886 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.529104948 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.529166937 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.529186964 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.530620098 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.530694962 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.530711889 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.532155037 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.532207012 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.532247066 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.533700943 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.533736944 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.533767939 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.535264015 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.535303116 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.535304070 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.536787987 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.536840916 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.536873102 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.538338900 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.538388014 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.538456917 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.539809942 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.539864063 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.539927006 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.541385889 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.541423082 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.541456938 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.542910099 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.542953968 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.543020964 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.544507980 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.544547081 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.544625998 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.545984030 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.546025038 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.546058893 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.547509909 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.547624111 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.547671080 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.549007893 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.549045086 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.549129009 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.550574064 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.550659895 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.550699949 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.552119970 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.552170038 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.552294016 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.553657055 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.553699970 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.553735018 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.555202961 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.555252075 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.555288076 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.556751966 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.556792021 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.556818962 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.558304071 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.558357954 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.558423042 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.559820890 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.559832096 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.559874058 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.561331034 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.561382055 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.561404943 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.562865019 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.562901974 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.562987089 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.564495087 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.564558029 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.564560890 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.565931082 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.565973043 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.566031933 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.567480087 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.567517996 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.567565918 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.568960905 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.569020033 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.690165997 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.690251112 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.690315962 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.690648079 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.690763950 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.690810919 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.691843987 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.691979885 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.692033052 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.693032026 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.693078041 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.693123102 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.694287062 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.694329023 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.694422007 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.695476055 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.695605993 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.695648909 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.696692944 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.696712971 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.696772099 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.697910070 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.698030949 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.698091030 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.699115038 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.699239016 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.699306965 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.700326920 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.700504065 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.700553894 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.701555014 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.701718092 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.701761961 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.702769041 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.702886105 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.702929974 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.703979969 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.704085112 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.704121113 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.705193996 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.705302954 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.705343008 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.706418991 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.706523895 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.706573009 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.707612991 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.707801104 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.707931042 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.708837986 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.708964109 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.709003925 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.710079908 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.710242033 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.710283995 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.711287975 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.711411953 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.711452961 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.712593079 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.712812901 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.712852955 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.713743925 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.713835001 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.713874102 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.714972019 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.715076923 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.715118885 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.716155052 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.716268063 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.716308117 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.717381001 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.717603922 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.717648029 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.718596935 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.718724966 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.718764067 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.719863892 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.720005035 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.720046043 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.721019983 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.721143961 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.721189976 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.722218037 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.722341061 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.722484112 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.723468065 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.723572016 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.723613024 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.724666119 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.724798918 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.724838972 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.725879908 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.725996971 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.726036072 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.727138042 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.727178097 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.727220058 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.728317976 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.728436947 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.728476048 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.729537964 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.729625940 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.729665995 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.730750084 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.730873108 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.730914116 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.731985092 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.732108116 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.732407093 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.733175993 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.733268023 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.733314991 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.734415054 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.734504938 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.734544992 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.735611916 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.735740900 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.735785961 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.736855030 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.736968040 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.737008095 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.738059044 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.738130093 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.738183022 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.739274025 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.739382982 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.739437103 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.740516901 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.740647078 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.740688086 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.741707087 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.741811991 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.741854906 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.742955923 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.743024111 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.743077993 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.744184017 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.744303942 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.744345903 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.745347977 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.745502949 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.745542049 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.746567965 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.746696949 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.746731043 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.747932911 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.748027086 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.748786926 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.749043941 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.749114037 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.749150991 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.750207901 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.750328064 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.750368118 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.751465082 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.751593113 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.751693964 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.752681017 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.752821922 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.752865076 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.753807068 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.802037001 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.890178919 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.890374899 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.890427113 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.890850067 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.890917063 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.890958071 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.891028881 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.892158985 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.892201900 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.892258883 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.893520117 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.893789053 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.893816948 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.894649029 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.894752026 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.894797087 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.895781040 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.895839930 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.895893097 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.897016048 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.897059917 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.897095919 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.898214102 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.898257017 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.898269892 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.899456024 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.899523973 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.899550915 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.900675058 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.900721073 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.900804996 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.901853085 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.901918888 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.901947021 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.903094053 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.903136969 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.903212070 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.904314995 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.904360056 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.904397964 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.905510902 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.905620098 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.905666113 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.906753063 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.906795025 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.906829119 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.907944918 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.907989025 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.908148050 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.909185886 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.909197092 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.909229040 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.910391092 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.910427094 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.910459995 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.911595106 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.911638021 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.911710024 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.912822962 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.912883997 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.912916899 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.914011955 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.914057970 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.914074898 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.915326118 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.915368080 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.915395975 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.916455984 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.916502953 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.916546106 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.917721033 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.917802095 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.918147087 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.918912888 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.918962002 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.918986082 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.920098066 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.920140982 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.920222044 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.921441078 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.921480894 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.921547890 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.922574043 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.922683001 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.922688007 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.923773050 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.923861027 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.923882961 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.925017118 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.925060034 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.925091028 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.926172972 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.926306963 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.926337957 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.927411079 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.927454948 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.927525043 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.928622961 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.928684950 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.928698063 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.929838896 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.929883003 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.929986954 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.931061983 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.931109905 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.931149006 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.932285070 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.932326078 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.932360888 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.933506966 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.933547974 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.933598995 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.934746027 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.934797049 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.934818983 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.935916901 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.935969114 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.936028004 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.937128067 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.937159061 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.937203884 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.938381910 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.938492060 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.938524008 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.939587116 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.939635992 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.939677000 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.940856934 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.940901995 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.941000938 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.941999912 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.942044973 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.942085981 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.943242073 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.943279028 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.943321943 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.944417953 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.944489002 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.944552898 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.945672989 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.945724964 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.945729017 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.946865082 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.946903944 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.946913004 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.948100090 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.948152065 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.948183060 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.949281931 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.949322939 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.949387074 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.950536966 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.950550079 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.950584888 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.951807976 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.951883078 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.951919079 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.952963114 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:30.953035116 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:30.953049898 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.005147934 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.091578960 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.091680050 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.091775894 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.092107058 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.092222929 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.092384100 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.093368053 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.093544960 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.093590975 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.094552040 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.094613075 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.094655991 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.102550030 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.102569103 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.102581024 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.102590084 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.102601051 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.102611065 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.102621078 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.102631092 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.102638006 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.102639914 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.102650881 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.102662086 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.102670908 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.102675915 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.102686882 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.102709055 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.103327990 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.103542089 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.103584051 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.104767084 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.104840040 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.104883909 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.105730057 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.105859041 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.105902910 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.106791973 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.106820107 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.106865883 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.107918024 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.108026981 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.108074903 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.109143972 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.109246969 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.109416962 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.110424995 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.110471010 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.110584974 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.111579895 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.111705065 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.111826897 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.112807035 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.112926960 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.112973928 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.114006042 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.114115953 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.114161968 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.115246058 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.115309954 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.115350008 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.116444111 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.116503954 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.116544962 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.117667913 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.117759943 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.117808104 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.118902922 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.119026899 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.119236946 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.120129108 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.120311022 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.120393991 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.121323109 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.121438026 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.121619940 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.122514963 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.122642994 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.122680902 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.123826981 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.123902082 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.123950958 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.124993086 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.125093937 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.125284910 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.126180887 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.126298904 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.126722097 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.127422094 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.127547026 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.127593994 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.128617048 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.128739119 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.128783941 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.129858971 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.130023003 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.130069971 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.131093979 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.131172895 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.131216049 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.132262945 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.132365942 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.132412910 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.133538008 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.133553028 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.133610010 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.134720087 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.134821892 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.134871006 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.135938883 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.136080980 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.136128902 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.137135983 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.137271881 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.137336016 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.138401031 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.138499022 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.138694048 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.139591932 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.139727116 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.139775038 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.140831947 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.140952110 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.141062975 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.141993999 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.142045975 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.142096043 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.143215895 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.143330097 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.143433094 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.144469976 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.144548893 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.144593000 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.145705938 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.145752907 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.145816088 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.146899939 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.147283077 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.147350073 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.148085117 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.148224115 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.148282051 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.149308920 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.149442911 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.150552034 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.150615931 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.150654078 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.150702953 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.151717901 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.151838064 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.151902914 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.153033018 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.153053045 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.153126001 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.154197931 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.154301882 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.154347897 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.155343056 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.208286047 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.292896032 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.292942047 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.293097973 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.293399096 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.293714046 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.293764114 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.294635057 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.294774055 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.294819117 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.295803070 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.295955896 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.296485901 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.297018051 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.297153950 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.297219038 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.298269033 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.298428059 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.298476934 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.299454927 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.299575090 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.300050974 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.300678015 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.300802946 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.300843954 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.301908970 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.302027941 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.302520990 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.303123951 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.303215981 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.303360939 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.304335117 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.304380894 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.304487944 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.305505991 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.305605888 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.305680990 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.306766033 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.306868076 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.306905031 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.308013916 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.308202982 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.308284044 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.309235096 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.309370995 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.309664965 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.310453892 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.310554028 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.310673952 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.311614037 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.311826944 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.312316895 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.312833071 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.312891960 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.312937021 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.314059019 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.314157963 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.314213991 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.315346956 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.315423012 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.315466881 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.316500902 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.316615105 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.316764116 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.317778111 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.317858934 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.318068981 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.318947077 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.319118977 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.319163084 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.320173979 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.320473909 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.320521116 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.321336985 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.321412086 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.321449995 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.322582960 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.322801113 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.322949886 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.323785067 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.323905945 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.324664116 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.324978113 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.325090885 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.325187922 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.326225996 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.326292992 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.326473951 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.327409983 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.327564955 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.327610016 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.329140902 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.329267979 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.329305887 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.329919100 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.330069065 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.330113888 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.331379890 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.331437111 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.331682920 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.332371950 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.332482100 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.332550049 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.333561897 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.333673000 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.333868980 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.334835052 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.335020065 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.335118055 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.335963011 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.335984945 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.336030006 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.337168932 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.337264061 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.337311029 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.338404894 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.338527918 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.338733912 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.339627981 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.339767933 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.339827061 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.340900898 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.340995073 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.341147900 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.342051983 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.342161894 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.342279911 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.343280077 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.343406916 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.343451977 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.344477892 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.344575882 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.344628096 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.345762968 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.345873117 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.345921040 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.346920013 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.347059965 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.347229004 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.348166943 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.348448038 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.348536015 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.349339962 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.349447966 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.349639893 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.350590944 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.350708961 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.350792885 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.351794958 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.351913929 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.351962090 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.352991104 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.353079081 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.353120089 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.354213953 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.354319096 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.354717970 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.355454922 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.355596066 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.355642080 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.356770039 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.411432028 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.493977070 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.494043112 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.494297028 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.494582891 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.494730949 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.494951963 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.495773077 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.495893955 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.496079922 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.496978998 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.497109890 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.497651100 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.498195887 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.498297930 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.498356104 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.499408960 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.499530077 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.500705957 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.500767946 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.500768900 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.500808954 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.501867056 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.501913071 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.502037048 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.503078938 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.503119946 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.503181934 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.504288912 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.504354000 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.504595995 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.505517006 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.505645037 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.506756067 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.506814003 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.506846905 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.506894112 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.507936001 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.507986069 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.508143902 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.509160995 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.509239912 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.509608030 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.510354042 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.510461092 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.510962009 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.511590958 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.511708021 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.512814999 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.512873888 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.512937069 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.514040947 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.514169931 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.514235973 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.515208006 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.515333891 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.515908957 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.516439915 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.516653061 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.516705036 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.517671108 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.517777920 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.517862082 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.518913984 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.519098043 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.519412994 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.520119905 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.520201921 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.520261049 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.521334887 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.521459103 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.521509886 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.522553921 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.522573948 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.522650003 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.523763895 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.523878098 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.523933887 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.524964094 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.525083065 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.525319099 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.526228905 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.526309967 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.526426077 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.527544975 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.527599096 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.527663946 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.528651953 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.528754950 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.528809071 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.529879093 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.530000925 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.530046940 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.531083107 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.531102896 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.531677961 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.532289028 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.532365084 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.532413006 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.533516884 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.533627033 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.533696890 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.534730911 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.534837008 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.534882069 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.535949945 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.536065102 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.536107063 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.537161112 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.537272930 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.537353992 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.538367033 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.538461924 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.538507938 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.539740086 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.539752007 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.539798021 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.540798903 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.540894985 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.540980101 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.542015076 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.542139053 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.542953014 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.543226957 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.543308020 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.544449091 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.544497967 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.544549942 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.544904947 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.545712948 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.545880079 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.545919895 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.546940088 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.547069073 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.547116041 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.548095942 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.548203945 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.548238039 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.549315929 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.549408913 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.549541950 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.550529003 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.550649881 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.550960064 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.551748991 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.551862001 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.552799940 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.552973032 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.553082943 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.553432941 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.554192066 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.554331064 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.554405928 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.555402994 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.555526018 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.555561066 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.556622982 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.556745052 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.556797981 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.557791948 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.598906040 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.695513964 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.695568085 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.695703030 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.696038008 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.696113110 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.696156979 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.697235107 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.697328091 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.697987080 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.698446989 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.698550940 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.698605061 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.699657917 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.699767113 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.699810028 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.700903893 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.701000929 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.701056004 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.702135086 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.702238083 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.702286959 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.703326941 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.703455925 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.703500032 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.704617023 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.704628944 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.704664946 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.705741882 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.705950975 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.706053019 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.706988096 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.707051039 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.707107067 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.708291054 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.708427906 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.708476067 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.709387064 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.709512949 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.709558964 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.710654020 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.710781097 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.710829020 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.711946964 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.712043047 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.712091923 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.713073015 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.713253975 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.713510990 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.714380980 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.714590073 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.714636087 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.715511084 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.715697050 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.715872049 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.716752052 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.716882944 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.716933966 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.717968941 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.718070984 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.718218088 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.719229937 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.719280958 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.719422102 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.720402002 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.720474005 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.720545053 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.721651077 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.721752882 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.721829891 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.723100901 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.723244905 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.723308086 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.724575043 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.724709988 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.724852085 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.725733995 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.725788116 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.725996971 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.726550102 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.726629972 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.726726055 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.727734089 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.727781057 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.727935076 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.728897095 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.729027033 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.729147911 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.730134010 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.730285883 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.730679989 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.731386900 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.731509924 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.731581926 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.732578039 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.732687950 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.732755899 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.733908892 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.733963966 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.734034061 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.735035896 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.735136986 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.735249996 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.736216068 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.736339092 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.736498117 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.737437010 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.737545013 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.737710953 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.738646030 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.738801003 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.738858938 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.740032911 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.740181923 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.740221977 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.741389990 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.741504908 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.741548061 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.742436886 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.742567062 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.742603064 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.743752003 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.743885994 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.744005919 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.744826078 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.744971037 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.745130062 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.746012926 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.746126890 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.746229887 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.747229099 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.747347116 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.747400999 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.748405933 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.748512030 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.748553991 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.749620914 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.749737978 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.749818087 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.750873089 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.751010895 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.751065016 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.752052069 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.752181053 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.752289057 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.753317118 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.753456116 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.753571033 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.754515886 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.754683971 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.754735947 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.755831957 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.755996943 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.756150007 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.757006884 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.757158995 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.757236958 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.758263111 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.758405924 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.758543968 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.759340048 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.802047968 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.896650076 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.896770000 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.897142887 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.897166014 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.897413969 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.897550106 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.897608995 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.898650885 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.898710012 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.898746014 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.899857044 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.899909973 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.900029898 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.901067972 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.901209116 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.901226997 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.902359009 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.902436972 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.902476072 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.903503895 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.903587103 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.903660059 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.904716015 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.904824018 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.904881954 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.905942917 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.906013966 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.906049013 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.907143116 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.907243967 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.907295942 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.908389091 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.908449888 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.908514023 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.909605026 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.909694910 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.909769058 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.910825968 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.910885096 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.911091089 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.912028074 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.912102938 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.912111998 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.913261890 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.913467884 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.913522005 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.914452076 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.914511919 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.914587021 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.915652037 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.915779114 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.915831089 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.916894913 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.916945934 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.916976929 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.918102980 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.918169022 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.918205023 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.919348001 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.919418097 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.919441938 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.920531034 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.920686007 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.920748949 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.921777964 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.921844959 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.921881914 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.922991037 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.923152924 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.923185110 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.924210072 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.924351931 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.924709082 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.925456047 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.925508976 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.925544024 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.926634073 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.926697969 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.926719904 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.927845001 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.927901030 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.927973032 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.929075956 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.929178953 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.929249048 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.930325031 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.930382967 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.930423021 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.931567907 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.931646109 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.931715012 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.932735920 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.932801008 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.932837009 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.934077024 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.934283018 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.934297085 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.935157061 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.935295105 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.935328960 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.936369896 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.936491966 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.936552048 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.937588930 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.937660933 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.937695980 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.938807011 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.938860893 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.938934088 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.940009117 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.940058947 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.940069914 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.941214085 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.941313028 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.941358089 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.942425966 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.942497015 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.942559004 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.943665028 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.943731070 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.943759918 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.944871902 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.944932938 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.945105076 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.946131945 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.946201086 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.946212053 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.947329998 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.947384119 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.947463989 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.948532104 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.948625088 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.948673964 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.949902058 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.949933052 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.949980974 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.950953960 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.951108932 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.951143026 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.952214956 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.952368021 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.952426910 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.953401089 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.953454018 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.953550100 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.954626083 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.954679012 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.954709053 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.955856085 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.955933094 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.956007957 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.957094908 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.957149982 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.957225084 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.958355904 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.958450079 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.958467960 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:31.959502935 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.959578037 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:31.959636927 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.098057032 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.098139048 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.098364115 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.098571062 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.098964930 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.099893093 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.099968910 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.099971056 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.100019932 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.101020098 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.101130009 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.101185083 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.102260113 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.102381945 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.102674961 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.103468895 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.103591919 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.103634119 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.104670048 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.104804039 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.105232000 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.105885983 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.106110096 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.106163025 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.107120991 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.107251883 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.107295990 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.108325005 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.108442068 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.108802080 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.109529972 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.109663010 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.109715939 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.110821009 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.110951900 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.111084938 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.111983061 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.112083912 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.112135887 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.113205910 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.113292933 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.113351107 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.114401102 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.114512920 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.114656925 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.115631104 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.115740061 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.115814924 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.116837025 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.116944075 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.117119074 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.118072033 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.118166924 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.118721962 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.119286060 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.119400978 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.119457960 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.120518923 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.120605946 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.120867014 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.121716022 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.121834993 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.121891022 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.122935057 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.123044968 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.123099089 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.124138117 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.124264956 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.124324083 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.125376940 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.125475883 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.125524998 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.126585007 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.126701117 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.126832962 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.127793074 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.127895117 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.127933979 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.129010916 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.129132986 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.129209995 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.130264997 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.130547047 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.130603075 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.131669998 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.131680965 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.131737947 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.132693052 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.132816076 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.133902073 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.134016991 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.134110928 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.135128975 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.135231972 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.136112928 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.136312008 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.136454105 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.136501074 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.137546062 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.137660980 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.137710094 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.138777971 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.138911009 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.139014006 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.139935970 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.140059948 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.140109062 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.141205072 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.141264915 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.141319036 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.142442942 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.142540932 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.142596006 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.143624067 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.143735886 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.143794060 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.144854069 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.144942045 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.145029068 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.146060944 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.146178007 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.146967888 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.147269964 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.147413969 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.147469044 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.148485899 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.148633957 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.148693085 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.149707079 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.149815083 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.149878025 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.150923014 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.151036024 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.152112961 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.152177095 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.152235031 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.153345108 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.153433084 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.153469086 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.154625893 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.154689074 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.154730082 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.154958010 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.155805111 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.155855894 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.155915022 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.156992912 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.157108068 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.157160997 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.158238888 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.158361912 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.158416986 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.159457922 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.159565926 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.160689116 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.160736084 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.160747051 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.161617041 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.161840916 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.210974932 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.299325943 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.299340963 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.299583912 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.299654007 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.299710989 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.300813913 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.300858021 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.300932884 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.302122116 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.302169085 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.302201986 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.302901030 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.302947044 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.303067923 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.304096937 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.304141998 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.304176092 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.305301905 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.305331945 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.305354118 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.306570053 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.306629896 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.306682110 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.306952000 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.307750940 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.307869911 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.308942080 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.308999062 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.309035063 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.309076071 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.310228109 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.310409069 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.310615063 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.311357975 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.311398029 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.311439991 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.312581062 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.312719107 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.312766075 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.313776970 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.313889027 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.314340115 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.315015078 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.315114975 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.315160036 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.316231966 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.316344023 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.317436934 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.317497969 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.317504883 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.317548990 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.318645954 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.318762064 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.318950891 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.319853067 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.319961071 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.321079969 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.321136951 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.321202993 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.321249962 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.322365046 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.322463036 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.322501898 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.323497057 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.323616982 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.323669910 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.324717045 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.324842930 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.325479031 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.325922012 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.326015949 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.326064110 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.327199936 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.327289104 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.327339888 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.328361034 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.328500032 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.329772949 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.329792023 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.329838037 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.329912901 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.330821037 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.330945969 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.332010984 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.332063913 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.332118988 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.332169056 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.333225965 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.333311081 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.334435940 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.334490061 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.334530115 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.334573984 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.335689068 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.335807085 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.335854053 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.337174892 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.337368965 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.337418079 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.338306904 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.338457108 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.338514090 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.339291096 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.339390993 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.339441061 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.340522051 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.340768099 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.341698885 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.341753006 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.341806889 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.341852903 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.342957020 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.343097925 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.343157053 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.344176054 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.344326019 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.345788002 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.345861912 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.345864058 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.345916033 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.346709967 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.346734047 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.346965075 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.347774982 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.347840071 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.347907066 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.349000931 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.349107027 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.349158049 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.350219965 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.350334883 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.350956917 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.351432085 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.351541042 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.351633072 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.351660013 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.351660013 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.352628946 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.352737904 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.352782965 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.354062080 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.354167938 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.354959011 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.355088949 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.355190992 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.356476068 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.356528997 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.356549025 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.356590986 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.357516050 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.357698917 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.358716965 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.358778954 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.358834028 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.358879089 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.359946966 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.360090971 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.360145092 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.361159086 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.361212015 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.362365961 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.362421036 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.362454891 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.362503052 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.373493910 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.373527050 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.501205921 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.501307011 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.501492977 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.501768112 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.501852989 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.501899004 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.503032923 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.503135920 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.503174067 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.504198074 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.504327059 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.505162954 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.505420923 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.505542040 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.505578995 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.506640911 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.506766081 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.506802082 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.507870913 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.508002996 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.508450985 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.509015083 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.509057045 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.509324074 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.510313988 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.510426044 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.510472059 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.511516094 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.511676073 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.511827946 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.512751102 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.512840986 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.512886047 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.513927937 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.514029980 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.514190912 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.515150070 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.515192986 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.515228033 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.516366005 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.516475916 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.516653061 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.517590046 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.517658949 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.517714977 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.518866062 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.518929958 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.519002914 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.520009041 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.520134926 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.520344973 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.521264076 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.521370888 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.521414995 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.522428036 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.522495985 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.522536993 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.523727894 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.523813963 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.523848057 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.524844885 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.524983883 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.525016069 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.526072025 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.526268005 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.526956081 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.527329922 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.527383089 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.528340101 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.528495073 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.528633118 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.528664112 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.529736996 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.529903889 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.529939890 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.530939102 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.531028986 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.531064987 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.532224894 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.532299042 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.532332897 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.533384085 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.533512115 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.533550024 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.534697056 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.534859896 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.534905910 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.535789967 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.535948992 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.536083937 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.537121058 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.537309885 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.537353039 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.538213968 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.538372993 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.538487911 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.539453983 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.539565086 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.540644884 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.540692091 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.540703058 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.540730953 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.541894913 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.542094946 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.542237043 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.543072939 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.543140888 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.543201923 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.544300079 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.544393063 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.544711113 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.545552969 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.545670986 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.545763969 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.546720982 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.546897888 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.546936989 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.548023939 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.548125029 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.548167944 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.549140930 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.549237967 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.549526930 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.550378084 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.550493002 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.550534010 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.551573038 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.551623106 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.551697016 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.552788019 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.552953005 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.553297043 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.554054976 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.554230928 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.554285049 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.555221081 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.555294037 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.555329084 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.556461096 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.556587934 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.556678057 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.557643890 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.557722092 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.557826996 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.558844090 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.558973074 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.559009075 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.560062885 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.560162067 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.560399055 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.561261892 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.561387062 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.561573982 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.562505960 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.562635899 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.562688112 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.563810110 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.563967943 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.564053059 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.564874887 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.614535093 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.702641010 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.702671051 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.702727079 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.703344107 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.703533888 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.703577995 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.704394102 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.704514980 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.704601049 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.705576897 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.705723047 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.705765963 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.706799984 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.706902981 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.706955910 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.707993984 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.708127975 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.708170891 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.709208012 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.709301949 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.709343910 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.710412025 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.710515976 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.710565090 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.711613894 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.711673975 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.711743116 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.712847948 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.712940931 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.712981939 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.714032888 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.714099884 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.714137077 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.715260029 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.715338945 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.715384007 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.716466904 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.716595888 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.716636896 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.717662096 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.717744112 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.717783928 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.718924046 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.719036102 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.719088078 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.720067978 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.720190048 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.720231056 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.721275091 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.721323013 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.721398115 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.722480059 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.722578049 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.722621918 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.723684072 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.723797083 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.723843098 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.724895000 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.724997044 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.725054026 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.726083994 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.726201057 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.726244926 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.727324963 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.727401018 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.727447987 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.728498936 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.728645086 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.728698015 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.729736090 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.729792118 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.729839087 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.730921030 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.731005907 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.731061935 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.732126951 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.732238054 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.732285976 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.733350039 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.733491898 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.733540058 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.734608889 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.734762907 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.734805107 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.735754967 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.735847950 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.735944033 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.736974955 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.737076998 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.737128019 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.738213062 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.738401890 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.738445997 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.739367008 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.739465952 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.739547014 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.740621090 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.740748882 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.740838051 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.741792917 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.741893053 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.741936922 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.743017912 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.743083954 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.743136883 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.744244099 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.744349003 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.744396925 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.745404005 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.745527029 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.745702028 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.746618986 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.746774912 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.746819019 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.747853041 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.748018980 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.748078108 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.749046087 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.749162912 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.749207020 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.750227928 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.750332117 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.750397921 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.751533031 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.751739025 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.751781940 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.752684116 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.752712965 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.752760887 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.753881931 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.753983974 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.754046917 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.755081892 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.755155087 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.755259037 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.756300926 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.756406069 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.756500959 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.757487059 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.757555962 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.757602930 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.758693933 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.758899927 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.759108067 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.759933949 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.760031939 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.760077000 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.761162996 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.761266947 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.761401892 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.762303114 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.762415886 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.762459040 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.763524055 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.763660908 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.763699055 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.764831066 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.764975071 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.765069962 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.765990019 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.817663908 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.903920889 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.903994083 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.904056072 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.904397011 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.904469013 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.904511929 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.905581951 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.906032085 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.906078100 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.906145096 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.907269001 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.907308102 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.907322884 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.908577919 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.908622980 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.908740044 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.909674883 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.909728050 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.909764051 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.910866022 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.910914898 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.910973072 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.912168980 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.912220955 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.912265062 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.913325071 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.913382053 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.913474083 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.914494991 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.914558887 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.914571047 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.915688992 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.915731907 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.915791988 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.916995049 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.917043924 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.917077065 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.918159008 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.918175936 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.918215036 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.919723988 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.919737101 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.919831991 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.920537949 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.920591116 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.920608997 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.921792984 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.921838045 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.921840906 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.925129890 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.925142050 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.925154924 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.925167084 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.925182104 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.925220966 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.925714970 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.925755024 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.925899029 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.927021980 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.927067995 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.927171946 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.928251982 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.928263903 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.928312063 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.928958893 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.929003954 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.929100990 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.930219889 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.930268049 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.930366993 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.931549072 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.931561947 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.931611061 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.932627916 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.932730913 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.932882071 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.934071064 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.934132099 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.934197903 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.935180902 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.935235977 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.935259104 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.936342001 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.936353922 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.936397076 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.937602997 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.937654018 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.937793016 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.938641071 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.938740015 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.938911915 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.939913034 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.939971924 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.940047026 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.941298962 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.941312075 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.941353083 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.942298889 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.942318916 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.942358017 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.943507910 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.943543911 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.943567991 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.944904089 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.944917917 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.944967985 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.946075916 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.946091890 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.946147919 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.947118044 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.947175980 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.947248936 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.948575020 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.948594093 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.948626041 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.949588060 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.949760914 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.949768066 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.950720072 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.950851917 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.950877905 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.951900005 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.951993942 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.951997042 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.953210115 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.953267097 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.953310013 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.954658985 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.954670906 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.954741955 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.955599070 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.955650091 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.955876112 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.956825018 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.956873894 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.957108021 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.958024979 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.958106995 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.958174944 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.959155083 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.959229946 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.959402084 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.960655928 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.960666895 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.960707903 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.961560965 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.961606979 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.961627007 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.962856054 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.962877035 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.962907076 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.964154959 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.964168072 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.964205027 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.965367079 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.965399027 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.965444088 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:32.966377020 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.966526985 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:32.966581106 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.111358881 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.111471891 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.111515999 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.111891985 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.112029076 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.112082005 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.113125086 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.113192081 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.113236904 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.114314079 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.114478111 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.114528894 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.115533113 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.115662098 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.115703106 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.116754055 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.116806984 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.116869926 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.117978096 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.118052006 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.118093014 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.119209051 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.119334936 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.119395018 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.120326042 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.120434046 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.120480061 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.121543884 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.121642113 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.121699095 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.122816086 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.122932911 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.122986078 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.123981953 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.124097109 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.124182940 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.125200987 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.125308990 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.125371933 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.126410007 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.126456022 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.126493931 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.127650976 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.127794981 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.127837896 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.128823996 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.128935099 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.128978968 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.130031109 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.130150080 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.130192995 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.131213903 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.131359100 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.131405115 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.132405043 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.132551908 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.132601023 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.133656025 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.133776903 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.133821964 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.134917021 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.135030031 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.135077953 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.136037111 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.136190891 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.136241913 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.137290001 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.137434006 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.137475014 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.138459921 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.138575077 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.138784885 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.139668941 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.139786959 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.139831066 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.140866995 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.140943050 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.140985012 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.142318010 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.142565966 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.142610073 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.143481016 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.143580914 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.143631935 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.144511938 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.144628048 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.144748926 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.145771027 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.145910978 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.145975113 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.146931887 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.147041082 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.147085905 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.148179054 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.148313046 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.148370981 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.149343014 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.149451017 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.149591923 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.150532961 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.150621891 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.150665998 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.151819944 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.151925087 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.151971102 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.152957916 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.153052092 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.153110981 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.154201984 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.154301882 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.154350996 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.155383110 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.155509949 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.155556917 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.156595945 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.156728029 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.156785965 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.157881021 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.157973051 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.158020020 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.159063101 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.159158945 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.159208059 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.160207987 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.160339117 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.160382986 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.161411047 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.161514044 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.161559105 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.162587881 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.162719965 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.162766933 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.163825035 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.163914919 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.163955927 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.165076017 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.165177107 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.165222883 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.166224957 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.166332006 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.166371107 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.167463064 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.167644024 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.167689085 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.168638945 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.168756962 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.168802023 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.169846058 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.169915915 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.169959068 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.171083927 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.171224117 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.171262026 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.172261953 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.172379017 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.172424078 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.173522949 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.173604012 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.173652887 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.174633980 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.224054098 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.312474966 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.312609911 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.312797070 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.313256979 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.313563108 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.313647985 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.314348936 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.314410925 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.314459085 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.315511942 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.315608025 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.316253901 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.316705942 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.316845894 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.316890955 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.317925930 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.318034887 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.318178892 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.319127083 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.319230080 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.319284916 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.320318937 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.320439100 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.320489883 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.321547985 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.321651936 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.321866035 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.322807074 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.322897911 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.323117018 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.323971033 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.324059010 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.324109077 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.325177908 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.325382948 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.325448036 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.326455116 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.326500893 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.326616049 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.327605009 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.327711105 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.327765942 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.328833103 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.328969002 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.329019070 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.329982042 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.330104113 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.330177069 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.331219912 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.331338882 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.331950903 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.332382917 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.332489967 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.332542896 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.333600998 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.333709002 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.333764076 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.334889889 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.335005999 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.335088015 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.336067915 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.336409092 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.336463928 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.337225914 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.337332010 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.337403059 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.338432074 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.338548899 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.338711023 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.339637995 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.339746952 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.340329885 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.340863943 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.340977907 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.341022968 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.342080116 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.342165947 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.342398882 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.343266964 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.343349934 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.343395948 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.344481945 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.344577074 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.344621897 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.345659018 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.345792055 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.345868111 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.346898079 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.347018957 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.347071886 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.348170042 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.348270893 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.348318100 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.349320889 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.349451065 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.349498987 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.350584030 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.350708961 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.350755930 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.351743937 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.351902008 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.351949930 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.352938890 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.353048086 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.353096008 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.354229927 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.354374886 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.354430914 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.355362892 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.355509043 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.356002092 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.356568098 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.356796026 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.356842041 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.357845068 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.357990980 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.358032942 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.359133959 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.359222889 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.359270096 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.360174894 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.360274076 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.360323906 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.361484051 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.361562967 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.361603975 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.362658978 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.362755060 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.362806082 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.363836050 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.363957882 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.364557028 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.365045071 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.365164995 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.365211010 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.366242886 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.366353989 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.366410971 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.367532969 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.367620945 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.367687941 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.368632078 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.368752003 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.368841887 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.369832993 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.369956970 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.370008945 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.371057034 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.371176958 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.371352911 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.372250080 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.372370005 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.372420073 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.373461962 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.373601913 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.373660088 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.374686956 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.374758005 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.374809027 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.375802040 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.427023888 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.513890982 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.514115095 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.514168024 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.514359951 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.514514923 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.514559984 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.515696049 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.516180992 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.516340017 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.516515970 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.517216921 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.517298937 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.517324924 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.518574953 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.518634081 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.518745899 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.519656897 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.519704103 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.519727945 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.520812988 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.520874977 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.520917892 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.523494005 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.523554087 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.523642063 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.523783922 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.523797989 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.523900032 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.524832010 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.524878979 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.524960041 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.525991917 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.526041031 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.526119947 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.526954889 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.527061939 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.527076960 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.528278112 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.528325081 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.528440952 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.529341936 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.529390097 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.529450893 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.530716896 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.530730009 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.530766964 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.531677961 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.531723976 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.531857014 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.532924891 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.532975912 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.532995939 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.534106016 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.534148932 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.534286022 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.535329103 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.535375118 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.535410881 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.536528111 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.536588907 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.536612034 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.537722111 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.537781954 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.537834883 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.538933992 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.538981915 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.538990021 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.540132046 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.540220976 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.540234089 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.541344881 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.541393042 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.541424036 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.542562008 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.542614937 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.542692900 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.545025110 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.545037031 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.545051098 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.545077085 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.545109987 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.545156956 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.546472073 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.546516895 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.546633959 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.547677994 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.547729969 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.547836065 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.548573017 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.548708916 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.548753023 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.550019979 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.550034046 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.550075054 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.551086903 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.551168919 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.551201105 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.552346945 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.552432060 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.552495003 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.553570986 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.553585052 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.553628922 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.554609060 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.554662943 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.554721117 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.555870056 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.555922985 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.556001902 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.557049036 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.557156086 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.557229996 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.558320999 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.558382988 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.558454990 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.559602022 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.559705973 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.559717894 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.560678959 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.560775995 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.560908079 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.561887026 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.561939955 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.561956882 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.563103914 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.563211918 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.563263893 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.564307928 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.564363003 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.564443111 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.565484047 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.565589905 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.565648079 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.566701889 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.566756964 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.566787004 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.567925930 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.567939997 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.568070889 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.569122076 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.569161892 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.569238901 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.570295095 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.570400953 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.570455074 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.571495056 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.571551085 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.571625948 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.572753906 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.572879076 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.572985888 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.573955059 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.574091911 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.574143887 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.575160980 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.575390100 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.575438976 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.576354980 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.576436996 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.576487064 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.715187073 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.715310097 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.715373039 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.715781927 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.715862989 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.715971947 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.716978073 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.717411995 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.717456102 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.717525959 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.718687057 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.718744040 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.718916893 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.719868898 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.719928980 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.719968081 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.721050978 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.721110106 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.721149921 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.722304106 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.722367048 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.722384930 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.723844051 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.723855019 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.724052906 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.724694014 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.724754095 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.724781036 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.725893974 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.725971937 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.726011038 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.727087021 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.727143049 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.727210045 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.728388071 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.728435993 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.728542089 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.729512930 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.729566097 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.729587078 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.730705976 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.730756998 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.730834007 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.731930971 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.732021093 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.732033968 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.733158112 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.733243942 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.733251095 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.734311104 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.734359980 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.734421015 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.735539913 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.735593081 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.735619068 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.736735106 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.736785889 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.736944914 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.737934113 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.737981081 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.738013983 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.739175081 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.739224911 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.739301920 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.740346909 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.740392923 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.740462065 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.741574049 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.741624117 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.741682053 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.742794037 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.742842913 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.742875099 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.743999958 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.744056940 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.744077921 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.745230913 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.745276928 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.745337963 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.746386051 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.746424913 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.746500015 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.747606039 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.747656107 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.747663021 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.748830080 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.748959064 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.748995066 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.750097036 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.750143051 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.750225067 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.751238108 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.751290083 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.751427889 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.752429962 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.752501011 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.752521992 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.759370089 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.759392977 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.759404898 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.759416103 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.759428024 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.759438038 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.759448051 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.759459019 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.759460926 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.759480953 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.759495020 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.759510994 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.759535074 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.759654999 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.759769917 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.759795904 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.760870934 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.760971069 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.760986090 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.762069941 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.762132883 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.762178898 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.763369083 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.763416052 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.763444901 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.764653921 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.764873028 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.764930964 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.765747070 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.765841961 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.765899897 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.766921043 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.767044067 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.767096996 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.768115044 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.768158913 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.768224955 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.769382954 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.769418955 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.769474030 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.770545006 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.770602942 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.770652056 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.771768093 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.771828890 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.771884918 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.772984982 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.773070097 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.773102999 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.774204016 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.774310112 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.774367094 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.775427103 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.775597095 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.775645971 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.776618004 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.776715040 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.776729107 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.777777910 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.777880907 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.777941942 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.916842937 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.916920900 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.917155981 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.917327881 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.917483091 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.918574095 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.918632984 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.918670893 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.918783903 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.919724941 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.919837952 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.919936895 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.920922995 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.921077013 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.921137094 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.922113895 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.922221899 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.922333002 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.923378944 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.923552990 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.923614979 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.924505949 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.924618006 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.924685955 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.925682068 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.925806046 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.925882101 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.926923037 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.927045107 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.927207947 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.928102970 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.928229094 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.928328991 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.929311037 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.929400921 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.929790020 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.930480957 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.930557966 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.930604935 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.931725025 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.931898117 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.931969881 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.932934999 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.933114052 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.933244944 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.934084892 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.934247971 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.935183048 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.935269117 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.935405970 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.936439991 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.936501026 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.936501980 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.936557055 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.937668085 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.937777996 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.937824965 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.938868999 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.938972950 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.939032078 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.940032959 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.940093040 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.940273046 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.941239119 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.941337109 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.941653013 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.942425013 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.942548037 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.942692995 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.943635941 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.943739891 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.943856001 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.944808006 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.944916010 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.944960117 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.946006060 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.946115017 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.946233034 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.947195053 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.947325945 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.947369099 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.948385000 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.948677063 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.948724985 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.949635983 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.949807882 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.949918032 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.950925112 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.951005936 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.951150894 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.951972008 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.952034950 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.952157974 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.953224897 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.953318119 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.953612089 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.954379082 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.954474926 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.954516888 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.955585957 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.955705881 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.955745935 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.956840992 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.956914902 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.956980944 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.957968950 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.958066940 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.958159924 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.959156036 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.959261894 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.959445953 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.960366011 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.960468054 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.960519075 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.961576939 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.961659908 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.961705923 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.962779999 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.962891102 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.962940931 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.963929892 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.964039087 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.965034008 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.965126038 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.965239048 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.966300011 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.966373920 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.966415882 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.966464043 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.967535973 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.967623949 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.967685938 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.968734980 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.968838930 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.968887091 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.969929934 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.970079899 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.970140934 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.971112013 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.971210003 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.971261024 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.972297907 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.972415924 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.972518921 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.973473072 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.973606110 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.973783970 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.974769115 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.974970102 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.975068092 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.975925922 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.975938082 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.975991964 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.977075100 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.977180004 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.977226973 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.978275061 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.978390932 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:33.978570938 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:33.979396105 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.020843029 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:34.118000031 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.118163109 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.118551016 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.118603945 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:34.118637085 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.119374037 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:34.119751930 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.119868994 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.120913982 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.120965004 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:34.121022940 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.121100903 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:34.122103930 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.122186899 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.123085976 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:34.123337030 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.123497009 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.124525070 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.124572992 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:34.124629021 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.124672890 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:34.125689983 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.125802040 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.125848055 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:34.126893044 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.127019882 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.128093004 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.128160954 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:34.128209114 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.128242016 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:34.129287958 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.129391909 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.129441977 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:34.130462885 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.130569935 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.130954981 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:34.131673098 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.131769896 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.132900000 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.132952929 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:34.133071899 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.133116961 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:34.134043932 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.134172916 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.134226084 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:34.135381937 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.135504007 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.135711908 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:34.151140928 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:34.161058903 CET	49910	7982	192.168.2.6	104.37.175.218
Nov 25, 2024 21:35:34.271051884 CET	7982	49910	104.37.175.218	192.168.2.6
Nov 25, 2024 21:35:34.281613111 CET	7982	49910	104.37.175.218	192.168.2.6

Target ID:	0
Start time:	15:34:01
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x7ff7e5e00000
File size:	954'368 bytes
MD5 hash:	96A7B754CA8E8F35AE9E2B88B9F25658
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:34:02
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe
Imagebase:	0xc20000
File size:	1'177'088 bytes
MD5 hash:	2354E800EEFC681A7D60F3B6B28ACFD9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000001.00000002.2938052510.00000000056B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000001.00000002.2931668884.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 34%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:34:14
Start date:	25/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Imagebase:	0x7ff67add0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:34:41
Start date:	25/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x280000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:34:43
Start date:	25/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x160000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:34:46
Start date:	25/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0xe0000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:34:49
Start date:	25/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0xe50000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000010.00000002.2946578088.0000000001610000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	15:35:22
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\fontdrvhost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\fontdrvhost.exe"
Imagebase:	0xe50000
File size:	676'584 bytes
MD5 hash:	8D0DA0C5DCF1A14F9D65F5C0BEA53F3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000012.00000003.2941844125.0000000000760000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000012.00000003.2946060481.0000000004D00000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000012.00000002.3046180127.0000000000A30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000012.00000003.2945665948.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	15:35:23
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 420
Imagebase:	0x650000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	15:35:33
Start date:	25/11/2024
Path:	C:\Windows\System32\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\fontdrvhost.exe"
Imagebase:	0x7ff7d9200000
File size:	827'408 bytes
MD5 hash:	BBCB897697B3442657C7D6E3EDDBD25F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	15:35:36
Start date:	25/11/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 8124 -s 136
Imagebase:	0x7ff652780000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	24.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	42.4%
Total number of Nodes:	989
Total number of Limit Nodes:	45

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF7E5E0721C Relevance: 54.6, APIs: 17, Strings: 14, Instructions: 372
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF7E5E072AC
CompareStringA.KERNEL32 ref: 00007FF7E5E07373
GetProcAddress.KERNEL32 ref: 00007FF7E5E07511

Part of subcall function 00007FF7E5E05140: FindResourceA.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E05168
Part of subcall function 00007FF7E5E05140: SizeofResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E05179
Part of subcall function 00007FF7E5E05140: FindResourceA.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E0519F
Part of subcall function 00007FF7E5E05140: LoadResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051B0
Part of subcall function 00007FF7E5E05140: LockResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051BF
Part of subcall function 00007FF7E5E05140: memcpy_s.MSVCRT ref: 00007FF7E5E051DE
Part of subcall function 00007FF7E5E05140: FreeResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051ED

CompareStringA.KERNEL32 ref: 00007FF7E5E07475
FreeLibrary.KERNEL32 ref: 00007FF7E5E075EC
LocalFree.KERNEL32 ref: 00007FF7E5E07617
FreeLibrary.KERNEL32 ref: 00007FF7E5E0763A
LocalFree.KERNEL32 ref: 00007FF7E5E07649

Strings

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00007FF7E5E07830
DoInfInstall, xrefs: 00007FF7E5E07507, 00007FF7E5E0768D
ADMQCMD, xrefs: 00007FF7E5E0732A
RUNPROGRAM, xrefs: 00007FF7E5E073A2
advpack.dll, xrefs: 00007FF7E5E076E0
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF7E5E07548, 00007FF7E5E0781A
SHOWWINDOW, xrefs: 00007FF7E5E072D0
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00007FF7E5E0776C
<None>, xrefs: 00007FF7E5E07355, 00007FF7E5E07457
REBOOT, xrefs: 00007FF7E5E0727B
wextract_cleanup0, xrefs: 00007FF7E5E0779D, 00007FF7E5E07860
USRQCMD, xrefs: 00007FF7E5E0733B
Comp, xrefs: 00007FF7E5E07530
POSTRUNPROGRAM, xrefs: 00007FF7E5E07436

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Resource$Free$CompareFindLibraryLocalString$AddressLoadLockProcSizeofmemcpy_smemset
String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Comp$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$Software\Microsoft\Windows\CurrentVersion\RunOnce$USRQCMD$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
API String ID: 2679723528-1916881147
Opcode ID: 7c15d2287e13f44bf5b0efd27726c7da16db5c9add0c0a7c4d9a2026f4990c77
Instruction ID: 57388ed3ba7390ef447972a8c4b6d4dd32cea146507a191c9504c83bc7230109
Opcode Fuzzy Hash: 7c15d2287e13f44bf5b0efd27726c7da16db5c9add0c0a7c4d9a2026f4990c77
Instruction Fuzzy Hash: 08025171A0864A86EB60AF14EA603B9B7A0FB44B4CFC45137DACD8B694DF3CD545C721

Function 00007FF7E5E01A08 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 181
registrylibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF7E5E01A4A
memset.MSVCRT ref: 00007FF7E5E01A58
RegCreateKeyExA.KERNELBASE ref: 00007FF7E5E01A98
RegQueryValueExA.KERNELBASE ref: 00007FF7E5E01AEE
RegCloseKey.ADVAPI32 ref: 00007FF7E5E01B0C
GetSystemDirectoryA.KERNEL32 ref: 00007FF7E5E01B2A
LoadLibraryA.KERNELBASE ref: 00007FF7E5E01B4C
GetProcAddress.KERNEL32 ref: 00007FF7E5E01B6E
FreeLibrary.KERNELBASE ref: 00007FF7E5E01B84
GetSystemDirectoryA.KERNEL32 ref: 00007FF7E5E01B9F
LocalAlloc.KERNEL32 ref: 00007FF7E5E01BFC
GetModuleFileNameA.KERNEL32 ref: 00007FF7E5E01C3F
RegCloseKey.ADVAPI32 ref: 00007FF7E5E01C58
RegSetValueExA.KERNELBASE ref: 00007FF7E5E01CC6
RegCloseKey.KERNELBASE ref: 00007FF7E5E01CD7
LocalFree.KERNEL32 ref: 00007FF7E5E01CE6

Strings

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00007FF7E5E01C73
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00007FF7E5E01A69
wextract_cleanup%d, xrefs: 00007FF7E5E01AB5
wextract_cleanup0, xrefs: 00007FF7E5E01AC1, 00007FF7E5E01ADC, 00007FF7E5E01CAB
%s /D:%s, xrefs: 00007FF7E5E01C87
DelNodeRunDLL32, xrefs: 00007FF7E5E01B64
advpack.dll, xrefs: 00007FF7E5E01B36
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF7E5E01BC6

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
API String ID: 1522771004-607953301
Opcode ID: 4787bf835d2d00f0f2994409a2d2f4fd237c0eb5fe9aa116df46f60fe985a84b
Instruction ID: 3e20797b9a79e74fd840edbe2a8a44b33191af95aeeb880b56c062c830c6583c
Opcode Fuzzy Hash: 4787bf835d2d00f0f2994409a2d2f4fd237c0eb5fe9aa116df46f60fe985a84b
Instruction Fuzzy Hash: BE814E32A08B8986E710AF11E9603B9F7A1FB89F58F845136DA8E8B754DF3CD105CB51

Function 00007FF7E5E01D28 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 373
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CompareStringA.KERNEL32 ref: 00007FF7E5E01EDA
GetFileAttributesA.KERNEL32 ref: 00007FF7E5E01EF4
LocalAlloc.KERNEL32 ref: 00007FF7E5E01F5F
GetPrivateProfileIntA.KERNEL32 ref: 00007FF7E5E01F9E
GetPrivateProfileStringA.KERNEL32 ref: 00007FF7E5E01FE2
GetShortPathNameA.KERNEL32 ref: 00007FF7E5E02094

Part of subcall function 00007FF7E5E061E8: LoadStringA.USER32 ref: 00007FF7E5E06278
Part of subcall function 00007FF7E5E061E8: MessageBoxA.USER32 ref: 00007FF7E5E062B8

Strings

setupx.dll, xrefs: 00007FF7E5E0208D
DefaultInstall, xrefs: 00007FF7E5E01F7C
Reboot, xrefs: 00007FF7E5E01F8B
.BAT, xrefs: 00007FF7E5E02118
AdvancedINF, xrefs: 00007FF7E5E01FCC
Version, xrefs: 00007FF7E5E01FD3
.INF, xrefs: 00007FF7E5E01EBC
Command.com /c %s, xrefs: 00007FF7E5E02147
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF7E5E01E52
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 00007FF7E5E020B7
setupapi.dll, xrefs: 00007FF7E5E020A2

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
String ID: .BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 383838535-3614570713
Opcode ID: 2e4a39167a847aef4def7ff9a37549632115461138b4cb5282ed996653afc72e
Instruction ID: c343383e805e228e2662bac3fa10bc37e1c910e8ca9a4df3bb75bd0d8c913fb9
Opcode Fuzzy Hash: 2e4a39167a847aef4def7ff9a37549632115461138b4cb5282ed996653afc72e
Instruction Fuzzy Hash: D3F1B262A0878A95EB11AF10E6603B9B7A0FB45F48FD44132DACD8B795DF3DD90AC311

Function 00007FF7E5E0521C Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 299
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7E5E05140: FindResourceA.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E05168
Part of subcall function 00007FF7E5E05140: SizeofResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E05179
Part of subcall function 00007FF7E5E05140: FindResourceA.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E0519F
Part of subcall function 00007FF7E5E05140: LoadResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051B0
Part of subcall function 00007FF7E5E05140: LockResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051BF
Part of subcall function 00007FF7E5E05140: memcpy_s.MSVCRT ref: 00007FF7E5E051DE
Part of subcall function 00007FF7E5E05140: FreeResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051ED

LocalAlloc.KERNEL32 ref: 00007FF7E5E05268
lstrcmpA.KERNEL32 ref: 00007FF7E5E05307
LocalFree.KERNEL32 ref: 00007FF7E5E0532E
LocalFree.KERNEL32 ref: 00007FF7E5E052E5

Part of subcall function 00007FF7E5E061E8: LoadStringA.USER32 ref: 00007FF7E5E06278
Part of subcall function 00007FF7E5E061E8: MessageBoxA.USER32 ref: 00007FF7E5E062B8

Part of subcall function 00007FF7E5E06590: GetLastError.KERNEL32 ref: 00007FF7E5E06594

GetTempPathA.KERNEL32 ref: 00007FF7E5E053BA
GetDriveTypeA.KERNEL32 ref: 00007FF7E5E05456
GetFileAttributesA.KERNEL32 ref: 00007FF7E5E05473
GetDiskFreeSpaceA.KERNEL32 ref: 00007FF7E5E054CB
MulDiv.KERNEL32 ref: 00007FF7E5E054EE
GetWindowsDirectoryA.KERNEL32 ref: 00007FF7E5E05562
GetFileAttributesA.KERNEL32 ref: 00007FF7E5E05587
CreateDirectoryA.KERNEL32 ref: 00007FF7E5E0559F
SetFileAttributesA.KERNEL32 ref: 00007FF7E5E055CF
GetWindowsDirectoryA.KERNEL32 ref: 00007FF7E5E0563B

Part of subcall function 00007FF7E5E064B0: FindResourceA.KERNEL32 ref: 00007FF7E5E064DA
Part of subcall function 00007FF7E5E064B0: LoadResource.KERNEL32 ref: 00007FF7E5E064F1
Part of subcall function 00007FF7E5E064B0: DialogBoxIndirectParamA.USER32 ref: 00007FF7E5E06527
Part of subcall function 00007FF7E5E064B0: FreeResource.KERNEL32 ref: 00007FF7E5E06539

Strings

A:\, xrefs: 00007FF7E5E05405
<None>, xrefs: 00007FF7E5E052FD
RUNPROGRAM, xrefs: 00007FF7E5E05250, 00007FF7E5E052B1
msdownld.tmp, xrefs: 00007FF7E5E0556E
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF7E5E053A7
Z, xrefs: 00007FF7E5E05446

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Resource$Free$AttributesDirectoryFileFindLoadLocal$Windows$AllocCreateDialogDiskDriveErrorIndirectLastLockMessageParamPathSizeofSpaceStringTempTypelstrcmpmemcpy_s
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 3973824516-1370313076
Opcode ID: 5d936fd06448e7924da8f5d7fa4264b0fdc18f972724515d1c910980030b4c7f
Instruction ID: 6f2b3b8bc26c2c14f178166b4700e36659659b9025f4508f04a0398ded195426
Opcode Fuzzy Hash: 5d936fd06448e7924da8f5d7fa4264b0fdc18f972724515d1c910980030b4c7f
Instruction Fuzzy Hash: 03D19531A1864A86EB10AF10A6603BAE7A1FB85F48FD45037DACDCB695DF3DD805CB11

Function 00007FF7E5E05810 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 183
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF7E5E0586B
memset.MSVCRT ref: 00007FF7E5E0587F

Part of subcall function 00007FF7E5E05140: FindResourceA.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E05168
Part of subcall function 00007FF7E5E05140: SizeofResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E05179
Part of subcall function 00007FF7E5E05140: FindResourceA.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E0519F
Part of subcall function 00007FF7E5E05140: LoadResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051B0
Part of subcall function 00007FF7E5E05140: LockResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051BF
Part of subcall function 00007FF7E5E05140: memcpy_s.MSVCRT ref: 00007FF7E5E051DE
Part of subcall function 00007FF7E5E05140: FreeResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051ED

CreateEventA.KERNEL32 ref: 00007FF7E5E058BC
SetEvent.KERNEL32 ref: 00007FF7E5E058D2
CreateMutexA.KERNEL32 ref: 00007FF7E5E05965
GetLastError.KERNEL32 ref: 00007FF7E5E05981
FindResourceExA.KERNEL32 ref: 00007FF7E5E05A4C
LoadResource.KERNEL32 ref: 00007FF7E5E05A63

Part of subcall function 00007FF7E5E03DF0: GetVersionExA.KERNEL32 ref: 00007FF7E5E03E3B

#17.COMCTL32 ref: 00007FF7E5E05A7A
CloseHandle.KERNEL32 ref: 00007FF7E5E059E7

Part of subcall function 00007FF7E5E061E8: LoadStringA.USER32 ref: 00007FF7E5E06278
Part of subcall function 00007FF7E5E061E8: MessageBoxA.USER32 ref: 00007FF7E5E062B8

Strings

INSTANCECHECK, xrefs: 00007FF7E5E05943
TITLE, xrefs: 00007FF7E5E0589A
VERCHECK, xrefs: 00007FF7E5E05A42
, xrefs: 00007FF7E5E059CE
Comp, xrefs: 00007FF7E5E05893, 00007FF7E5E05997
EXTRACTOPT, xrefs: 00007FF7E5E058E9

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Resource$FindLoad$CreateEventmemset$CloseErrorFreeHandleLastLockMessageMutexSizeofStringVersionmemcpy_s
String ID: $Comp$EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK
API String ID: 3100096412-3832775925
Opcode ID: 8653199e0f438de8d8069cf14c7024af3c928556c2760d006214bcddc3634e53
Instruction ID: bf412251f6e4da0c5d3d3870585a343ea6f819ac23bd62296f0be4f577dd4d7a
Opcode Fuzzy Hash: 8653199e0f438de8d8069cf14c7024af3c928556c2760d006214bcddc3634e53
Instruction Fuzzy Hash: C2816C21A0864B86F760BB10AA653B9E690AB45F8CFC45037D9CDCF695DF3CE441CB22

Function 00007FF7E5E05B50 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryA.KERNEL32 ref: 00007FF7E5E05BA9
SetCurrentDirectoryA.KERNELBASE ref: 00007FF7E5E05BB8

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF7E5E05B66

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: CurrentDirectory
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 1611563598-388467436
Opcode ID: 4926850c6f80b5d2401089667c5e764d4b6a610568242aaae11311db6a7c54a3
Instruction ID: 8baef6e6565f6492ed8948e259254c07ff5ba4b1d1be31ea5c47d3b90b0429ec
Opcode Fuzzy Hash: 4926850c6f80b5d2401089667c5e764d4b6a610568242aaae11311db6a7c54a3
Instruction Fuzzy Hash: 21A19376A0874686E720AF10E6547AAFBA0FB89B48F844137DACD8B754DF3CD445CB11

Function 00007FF7E5E04BE0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 124
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7E5E05140: FindResourceA.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E05168
Part of subcall function 00007FF7E5E05140: SizeofResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E05179
Part of subcall function 00007FF7E5E05140: FindResourceA.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E0519F
Part of subcall function 00007FF7E5E05140: LoadResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051B0
Part of subcall function 00007FF7E5E05140: LockResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051BF
Part of subcall function 00007FF7E5E05140: memcpy_s.MSVCRT ref: 00007FF7E5E051DE
Part of subcall function 00007FF7E5E05140: FreeResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051ED

FindResourceA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7E5E04938), ref: 00007FF7E5E04C10
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7E5E04938), ref: 00007FF7E5E04C21
LockResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7E5E04938), ref: 00007FF7E5E04C30
GetDlgItem.USER32 ref: 00007FF7E5E04C5D
ShowWindow.USER32(?,?,?,?,?,?,?,?,00000000,00007FF7E5E04938), ref: 00007FF7E5E04C6E
GetDlgItem.USER32 ref: 00007FF7E5E04C86
ShowWindow.USER32(?,?,?,?,?,?,?,?,00000000,00007FF7E5E04938), ref: 00007FF7E5E04C9A
#20.CABINET ref: 00007FF7E5E04D0D
#22.CABINET ref: 00007FF7E5E04D53
#23.CABINET ref: 00007FF7E5E04D68
FreeResource.KERNEL32 ref: 00007FF7E5E04DB1
SendMessageA.USER32 ref: 00007FF7E5E04E13

Strings

CABINET, xrefs: 00007FF7E5E04BED, 00007FF7E5E04C07
*MEMCAB, xrefs: 00007FF7E5E04D44

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: *MEMCAB$CABINET
API String ID: 1305606123-2642027498
Opcode ID: c58bcb9b074187ce5f9bb8efe3d3a205079a6ea7fdf4a44bf9905c0b86b0ae6c
Instruction ID: 44dd99f467eeb7a0b0734e63f7f2eab99697c40f8809caa8337318ca8354aa48
Opcode Fuzzy Hash: c58bcb9b074187ce5f9bb8efe3d3a205079a6ea7fdf4a44bf9905c0b86b0ae6c
Instruction Fuzzy Hash: C1511A71A08B4A86EB50AB10E6643B5E6A0FF89F49FC44136C9CDCB694DF3CE5058762

Function 00007FF7E5E046E8 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 152
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32 ref: 00007FF7E5E04763
LoadLibraryA.KERNEL32 ref: 00007FF7E5E04787
GetProcAddress.KERNEL32 ref: 00007FF7E5E047A5
DecryptFileA.ADVAPI32 ref: 00007FF7E5E047C9
FreeLibrary.KERNEL32 ref: 00007FF7E5E047D2
GetWindowsDirectoryA.KERNEL32 ref: 00007FF7E5E04803

Part of subcall function 00007FF7E5E056C8: LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF7E5E0471F), ref: 00007FF7E5E056ED

Strings

advapi32.dll, xrefs: 00007FF7E5E0476F
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF7E5E047C2, 00007FF7E5E04879
DecryptFileA, xrefs: 00007FF7E5E0479B

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: DirectoryLibrary$AddressAllocDecryptFileFreeLoadLocalProcSystemWindows
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
API String ID: 3010855178-2712585282
Opcode ID: d180db5752f1a20bb576ee2c9673d43da1fa3d8942f9ec25ef1480d3d5d04a0c
Instruction ID: e252aa38f7e26a72b472d0e4c0d85954fd96457d5855ab95005cac875d469281
Opcode Fuzzy Hash: d180db5752f1a20bb576ee2c9673d43da1fa3d8942f9ec25ef1480d3d5d04a0c
Instruction Fuzzy Hash: 27712961E0874B86FA60BB50AB61375E690AF94F4DFC44437D9CDCA291DE7CE8418732

Function 00007FF7E5E041EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF7E5E0807B), ref: 00007FF7E5E04337

Part of subcall function 00007FF7E5E04FD8: RemoveDirectoryA.KERNELBASE(0000000A,00007FF7E5E0807B), ref: 00007FF7E5E05074
Part of subcall function 00007FF7E5E04FD8: GetFileAttributesA.KERNELBASE ref: 00007FF7E5E05083
Part of subcall function 00007FF7E5E04FD8: GetTempFileNameA.KERNEL32 ref: 00007FF7E5E050B0
Part of subcall function 00007FF7E5E04FD8: DeleteFileA.KERNEL32 ref: 00007FF7E5E050C8
Part of subcall function 00007FF7E5E04FD8: CreateDirectoryA.KERNEL32 ref: 00007FF7E5E050D9

GetSystemInfo.KERNEL32(?,?,?,?,?,?,0000000A,00007FF7E5E0807B), ref: 00007FF7E5E04284
RemoveDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF7E5E0807B), ref: 00007FF7E5E04390

Strings

alpha, xrefs: 00007FF7E5E042B1
i386, xrefs: 00007FF7E5E042C3
ppc, xrefs: 00007FF7E5E042A8
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF7E5E04230, 00007FF7E5E042E7
mips, xrefs: 00007FF7E5E042BA

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
API String ID: 1979080616-1143122538
Opcode ID: ef5d81014ef313249934d52286ddd07c22df379486773ae6037eb97752fc4e5b
Instruction ID: 27bc51c52d7a5c4f43ec83922da84037137ea7918d57c36b804111ff251bf0d5
Opcode Fuzzy Hash: ef5d81014ef313249934d52286ddd07c22df379486773ae6037eb97752fc4e5b
Instruction Fuzzy Hash: 15514D61B0C74A81EA54AB15AB243B9E7A0AF45F48FD85137C9CDCB691CF7CE805C362

Function 00007FF7E5E07010 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 114
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE ref: 00007FF7E5E07091
WaitForSingleObject.KERNEL32 ref: 00007FF7E5E070AD
GetExitCodeProcess.KERNELBASE ref: 00007FF7E5E070C3
CloseHandle.KERNEL32 ref: 00007FF7E5E0714F
CloseHandle.KERNEL32 ref: 00007FF7E5E07160

Strings

, xrefs: 00007FF7E5E0707F

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWait
String ID:
API String ID: 976364251-3916222277
Opcode ID: 19170bdb0185dcc4558629786d1e3b276faf8172c778104cd8efa3f0263b16b4
Instruction ID: 898ab0aed02d69a819ec2a32598b8ccee44cd6b6dd4efb051a6db915c1a6ac2d
Opcode Fuzzy Hash: 19170bdb0185dcc4558629786d1e3b276faf8172c778104cd8efa3f0263b16b4
Instruction Fuzzy Hash: CF51303290874986E760AF10EA6537AF7A0FB89B5CF944136DACECA694CF7CD444CB11

Function 00007FF7E5E07FE4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 81
libraryloadershutdownCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 00007FF7E5E07FF9
GetModuleHandleW.KERNEL32 ref: 00007FF7E5E08016
GetProcAddress.KERNEL32 ref: 00007FF7E5E08031
ExitWindowsEx.USER32 ref: 00007FF7E5E080E7
CloseHandle.KERNEL32 ref: 00007FF7E5E08106

Strings

@, xrefs: 00007FF7E5E080C0
HeapSetInformation, xrefs: 00007FF7E5E08027
Kernel32.dll, xrefs: 00007FF7E5E0800F

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Handle$AddressCloseExitModuleProcVersionWindows
String ID: @$HeapSetInformation$Kernel32.dll
API String ID: 1302179841-1204263913
Opcode ID: 83a8c1ea104aff54c4d7c9c4dbf1586e791a1727480c60f852360176ee8197a3
Instruction ID: 65934a306a3bc1c2ccef0134ab9ac900a1043d3f6dc09bf7b4290e9c75ac0912
Opcode Fuzzy Hash: 83a8c1ea104aff54c4d7c9c4dbf1586e791a1727480c60f852360176ee8197a3
Instruction Fuzzy Hash: BA318221E0C24A86FA547F50A761377E690AF49F4CFC48033DA8ECB695CE7CE4418766

Function 00007FF7E5E026B8 Relevance: 12.1, APIs: 8, Instructions: 121
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE ref: 00007FF7E5E0275A
lstrcmpA.KERNEL32 ref: 00007FF7E5E027B9
lstrcmpA.KERNEL32 ref: 00007FF7E5E027D9
SetFileAttributesA.KERNEL32 ref: 00007FF7E5E02832
DeleteFileA.KERNEL32 ref: 00007FF7E5E02842
FindNextFileA.KERNELBASE ref: 00007FF7E5E02856
FindClose.KERNELBASE ref: 00007FF7E5E0286D
RemoveDirectoryA.KERNELBASE ref: 00007FF7E5E0287C

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: 18f7d0d8df672b7f8ff2bc21405c924839be97c8656361e9f06e7a67ef0dde56
Instruction ID: 4ecaedbc82360754ccd22105812c94891c404d6c61664bb848681a8cd56e9ea3
Opcode Fuzzy Hash: 18f7d0d8df672b7f8ff2bc21405c924839be97c8656361e9f06e7a67ef0dde56
Instruction Fuzzy Hash: C151863661878A95EB01AF20D9603F9B7A1FB45F48FC48172DA8D8B695DF3CD909C321

Function 00007FF7E5E043CC Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97
registryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNELBASE ref: 00007FF7E5E04411
DeleteFileA.KERNELBASE ref: 00007FF7E5E04420
LocalFree.KERNEL32 ref: 00007FF7E5E04433
LocalFree.KERNEL32 ref: 00007FF7E5E04442
SetCurrentDirectoryA.KERNELBASE ref: 00007FF7E5E044DB
RegOpenKeyExA.KERNELBASE ref: 00007FF7E5E0452E
RegDeleteValueA.KERNELBASE ref: 00007FF7E5E0454A
RegCloseKey.ADVAPI32 ref: 00007FF7E5E0455B

Strings

Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00007FF7E5E04520
wextract_cleanup0, xrefs: 00007FF7E5E04543
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF7E5E0447C

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: DeleteFileFreeLocal$AttributesCloseCurrentDirectoryOpenValue
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
API String ID: 3049360512-2186971993
Opcode ID: 945d950d7bb6d2b03bb19646d956afc38b938c28c29c6955e31643fe977d61b4
Instruction ID: 612c051b53cba5b2f7bb7a37a0ceea51e8628b0b8f4c1c360075ddc30df6dbf8
Opcode Fuzzy Hash: 945d950d7bb6d2b03bb19646d956afc38b938c28c29c6955e31643fe977d61b4
Instruction Fuzzy Hash: 4C512121A0874A86EB50AB10E764379F7A0FB89F49FC45132D68D8B694DF7CE844C722

Function 00007FF7E5E04FD8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 88
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RemoveDirectoryA.KERNELBASE(0000000A,00007FF7E5E0807B), ref: 00007FF7E5E05074
GetFileAttributesA.KERNELBASE ref: 00007FF7E5E05083
GetTempFileNameA.KERNEL32 ref: 00007FF7E5E050B0
DeleteFileA.KERNEL32 ref: 00007FF7E5E050C8
CreateDirectoryA.KERNEL32 ref: 00007FF7E5E050D9

Strings

IXP, xrefs: 00007FF7E5E050A3
IXP%03d.TMP, xrefs: 00007FF7E5E05012

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: File$Directory$AttributesCreateDeleteNameRemoveTemp
String ID: IXP$IXP%03d.TMP
API String ID: 4001122843-3932986939
Opcode ID: 950e06c3cc114e96d21c71c189c663bea0479e63569984cfb08e3cb431742b4e
Instruction ID: eab5ea4a334ac479241f94ce9a5028fc97a9edae558a78cfa760d4c24ed93330
Opcode Fuzzy Hash: 950e06c3cc114e96d21c71c189c663bea0479e63569984cfb08e3cb431742b4e
Instruction Fuzzy Hash: D2319131608A4586EA10AF15A9203FAB795FB8DF88FD99132CD8ECB391CE3CD445C721

Function 00007FF7E5E01150 Relevance: 12.1, APIs: 8, Instructions: 138
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7E5E018E4: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7E5E01914
Part of subcall function 00007FF7E5E018E4: GetCurrentProcessId.KERNEL32 ref: 00007FF7E5E01922
Part of subcall function 00007FF7E5E018E4: GetCurrentThreadId.KERNEL32 ref: 00007FF7E5E0192E
Part of subcall function 00007FF7E5E018E4: GetTickCount.KERNEL32 ref: 00007FF7E5E0193A
Part of subcall function 00007FF7E5E018E4: GetTickCount.KERNEL32 ref: 00007FF7E5E0194A
Part of subcall function 00007FF7E5E018E4: QueryPerformanceCounter.KERNEL32 ref: 00007FF7E5E01965

GetStartupInfoW.KERNEL32 ref: 00007FF7E5E01185
_amsg_exit.MSVCRT ref: 00007FF7E5E011C0
Sleep.KERNEL32 ref: 00007FF7E5E011CF
_initterm.MSVCRT ref: 00007FF7E5E01267
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF7E5E01294
exit.MSVCRT ref: 00007FF7E5E01330
_cexit.MSVCRT ref: 00007FF7E5E0133F
_ismbblead.MSVCRT ref: 00007FF7E5E0135F

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_initterm_ismbbleadexit
String ID:
API String ID: 2995914023-0
Opcode ID: dc0a5e20638ea67c63c6f64c653ebcfbc2cd40491069adb64e4f082b60295cf1
Instruction ID: 6df7338730a2e636dab2d924ae948df9b416ba1a16e4f42eb5841536cc723a6d
Opcode Fuzzy Hash: dc0a5e20638ea67c63c6f64c653ebcfbc2cd40491069adb64e4f082b60295cf1
Instruction Fuzzy Hash: F0615931A0864A86E724BB60EA61379A3A1FB44B48FC40037DACDCF694DF3CE444C722

Function 00007FF7E5E056C8 Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7E5E05140: FindResourceA.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E05168
Part of subcall function 00007FF7E5E05140: SizeofResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E05179
Part of subcall function 00007FF7E5E05140: FindResourceA.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E0519F
Part of subcall function 00007FF7E5E05140: LoadResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051B0
Part of subcall function 00007FF7E5E05140: LockResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051BF
Part of subcall function 00007FF7E5E05140: memcpy_s.MSVCRT ref: 00007FF7E5E051DE
Part of subcall function 00007FF7E5E05140: FreeResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051ED

LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF7E5E0471F), ref: 00007FF7E5E056ED
LocalFree.KERNEL32 ref: 00007FF7E5E05766

Part of subcall function 00007FF7E5E061E8: LoadStringA.USER32 ref: 00007FF7E5E06278
Part of subcall function 00007FF7E5E061E8: MessageBoxA.USER32 ref: 00007FF7E5E062B8

Part of subcall function 00007FF7E5E06590: GetLastError.KERNEL32 ref: 00007FF7E5E06594

Strings

<None>, xrefs: 00007FF7E5E0577E
UPROMPT, xrefs: 00007FF7E5E056D5, 00007FF7E5E05732
, xrefs: 00007FF7E5E057BC

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
String ID: $<None>$UPROMPT
API String ID: 957408736-2569542085
Opcode ID: aea35292e0b0d1d5dd38c3033b5e2eace57c3e947cdaa261d3646570dc64e0d9
Instruction ID: b5a7e1cb1176c4323e7aa94a6ba4ca0ea8141bb06b1395d16e121c98694668f1
Opcode Fuzzy Hash: aea35292e0b0d1d5dd38c3033b5e2eace57c3e947cdaa261d3646570dc64e0d9
Instruction Fuzzy Hash: 13319432A08246C6E720AB20E760379F650EB85B4CF844537DA8ECB695DF3CD0008B12

Function 00007FF7E5E08400 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 164filestringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32 ref: 00007FF7E5E08487
CreateFileA.KERNELBASE ref: 00007FF7E5E08545
CreateFileA.KERNEL32 ref: 00007FF7E5E085FE

Strings

*MEMCAB, xrefs: 00007FF7E5E0847D

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: CreateFile$lstrcmp
String ID: *MEMCAB
API String ID: 1301100335-3211172518
Opcode ID: 882ecc141dfa2a6022f31e20c1b0ac6f4acce46d394e68a6a22d01aa207dc993
Instruction ID: 5bbe98cdfa7693abdacce89e66c97ecc6b1467771a4e09ee26b45989c6380c8d
Opcode Fuzzy Hash: 882ecc141dfa2a6022f31e20c1b0ac6f4acce46d394e68a6a22d01aa207dc993
Instruction Fuzzy Hash: 1D61B762A0C74A86F7609F14A6A0379B691F755F68F845336CAED877C0CF7CD0018B61

Function 00007FF7E5E081D1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32 ref: 00007FF7E5E08280
LocalFileTimeToFileTime.KERNEL32 ref: 00007FF7E5E0829A
SetFileTime.KERNELBASE ref: 00007FF7E5E082C2
SetFileAttributesA.KERNELBASE ref: 00007FF7E5E082F8
SetDlgItemTextA.USER32 ref: 00007FF7E5E0832B

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF7E5E08247, 00007FF7E5E0833B

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: FileTime$AttributesDateItemLocalText
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 851750970-388467436
Opcode ID: 1b29dbb9e3ca8058bb845d1cdcb3f6214ba747c613cdf2411ff3bfa011323251
Instruction ID: 59ee5d54e32cf62b253d9d58326f086dbd90016e4899495499c4198b0ea8e213
Opcode Fuzzy Hash: 1b29dbb9e3ca8058bb845d1cdcb3f6214ba747c613cdf2411ff3bfa011323251
Instruction Fuzzy Hash: 7551B121A0C94A81EA60AF51D6243B9E760FF84F58F945233D98DCB6D4CF7CD445C7A1

Function 00007FF7E5E05ED8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FF7E5E05F08

Strings

TMP4351$.TMP, xrefs: 00007FF7E5E05FA5

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: AllocLocal
String ID: TMP4351$.TMP
API String ID: 3494564517-2619824408
Opcode ID: f6643adad851909dc84ab3123c3a019038264e65fc77465c454a882d24c4d207
Instruction ID: fddbd99234b7f65e58cc6436f1f6be87f69050aca9cf39c8724b4e7265d2c1ff
Opcode Fuzzy Hash: f6643adad851909dc84ab3123c3a019038264e65fc77465c454a882d24c4d207
Instruction Fuzzy Hash: F131B631A1868586F7106F15A620379F790EB85FA8F984336DAED8B7D1CF3CD4058711

Function 00007FF7E5E034D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,?,?,?,00000000,00007FF7E5E02566), ref: 00007FF7E5E03527
RegQueryValueExA.KERNELBASE(?,?,?,?,00000000,00007FF7E5E02566), ref: 00007FF7E5E03558
RegCloseKey.KERNELBASE(?,?,?,?,00000000,00007FF7E5E02566), ref: 00007FF7E5E03576

Strings

PendingFileRenameOperations, xrefs: 00007FF7E5E03546
System\CurrentControlSet\Control\Session Manager, xrefs: 00007FF7E5E03519

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager
API String ID: 3677997916-3057196482
Opcode ID: 340b8b646548313282c693838e7f25eceb0ba4f0296da7f4314fc4dbeecda6e5
Instruction ID: 462daa7a19dec79b946736bcb014bbd7834cbb6faa291a2438257b088459b40f
Opcode Fuzzy Hash: 340b8b646548313282c693838e7f25eceb0ba4f0296da7f4314fc4dbeecda6e5
Instruction Fuzzy Hash: 40116031A0864687E7206F19E56423AF6A1FB8DB59F904136DACD87B68CF3DD804CB11

Function 00007FF7E5E087A0 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7E5E07F58: MsgWaitForMultipleObjects.USER32(?,?,?,?,?,?,?,?,?,00000001,00007FF7E5E04A99), ref: 00007FF7E5E07F7C
Part of subcall function 00007FF7E5E07F58: PeekMessageA.USER32 ref: 00007FF7E5E07FC2

WriteFile.KERNELBASE ref: 00007FF7E5E087F4

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: FileMessageMultipleObjectsPeekWaitWrite
String ID:
API String ID: 3430465807-0
Opcode ID: 991d4bdccbb001d71ab861eb250e50ad34ff21f81909168724640f7d797acd5b
Instruction ID: 877836426dbd134facb2c012a955ff3314e2ddd98ea197faa8f939d535eb694f
Opcode Fuzzy Hash: 991d4bdccbb001d71ab861eb250e50ad34ff21f81909168724640f7d797acd5b
Instruction Fuzzy Hash: A521B321A0854686E7109F16E660335E760FB84F9CFC48236D99C8B6E4CF7CE015CB61

Function 00007FF7E5E04140 Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE ref: 00007FF7E5E04152
SetFileAttributesA.KERNEL32 ref: 00007FF7E5E041C7

Part of subcall function 00007FF7E5E064B0: FindResourceA.KERNEL32 ref: 00007FF7E5E064DA
Part of subcall function 00007FF7E5E064B0: LoadResource.KERNEL32 ref: 00007FF7E5E064F1
Part of subcall function 00007FF7E5E064B0: DialogBoxIndirectParamA.USER32 ref: 00007FF7E5E06527
Part of subcall function 00007FF7E5E064B0: FreeResource.KERNEL32 ref: 00007FF7E5E06539

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Resource$AttributesFile$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 2018477427-0
Opcode ID: 4737db5ac4d1f4b61336884d07e3be5c2f7f4e323d7d01ce83fef1e9a7c030ba
Instruction ID: 53c043221fec808d9d5d149ced858685347f3f11cf1ba6fb6a4eb5ebe83538ca
Opcode Fuzzy Hash: 4737db5ac4d1f4b61336884d07e3be5c2f7f4e323d7d01ce83fef1e9a7c030ba
Instruction Fuzzy Hash: 49117931A0874E86FB507F10AB64336E6A0BF59B5CF944133C9CCCA694CF3CA8468762

Function 00007FF7E5E0887C Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CharPrevA.USER32 ref: 00007FF7E5E088C3

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 8245624d2b9ebc6079e72f8030c20bb1c2af5584c94ac8071bf526b29981342a
Instruction ID: 46c8d6ca220de53061cbd5fedf9d725b05025599305a407afeb9cd2ca6c74fdc
Opcode Fuzzy Hash: 8245624d2b9ebc6079e72f8030c20bb1c2af5584c94ac8071bf526b29981342a
Instruction Fuzzy Hash: 87010411E0C7C9C6F3006B11A55032AFA90A745FA4FD892B1DBE98B7C5CFBCD4428762

Function 00007FF7E5E08160 Relevance: 1.3, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00007FF7E5E08199

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 631afb329a542f924e594eb567a6f67e576df5b656a914a684b149cc5fb41dd4
Instruction ID: 312dd7f11a7736dcb327a7f180a00eb638b5585717bf1c6ac7281b2a55283c51
Opcode Fuzzy Hash: 631afb329a542f924e594eb567a6f67e576df5b656a914a684b149cc5fb41dd4
Instruction Fuzzy Hash: A3F0623160C78682DB185F25F690278B360EB48F5CF804236DA6B8B6C4CE78D481C761

Non-executed Functions

Function 00007FF7E5E078AE Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 177windowCOMMON

Download Yara Rule

APIs

LoadStringA.USER32 ref: 00007FF7E5E0792A
EndDialog.USER32 ref: 00007FF7E5E07AD2
GetDesktopWindow.USER32 ref: 00007FF7E5E07B02
SetWindowTextA.USER32 ref: 00007FF7E5E07B23
SendDlgItemMessageA.USER32 ref: 00007FF7E5E07B47
GetDlgItem.USER32 ref: 00007FF7E5E07B64
EnableWindow.USER32 ref: 00007FF7E5E07B75
EndDialog.USER32 ref: 00007FF7E5E07B88

Strings

, xrefs: 00007FF7E5E07A36
Comp, xrefs: 00007FF7E5E07B19
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF7E5E079B5

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Window$DialogItem$DesktopEnableLoadMessageSendStringText
String ID: $C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Comp
API String ID: 3530494346-1320786786
Opcode ID: 03c4772cdb7d6fccc57bfd75d5555ef236f98fe06d2964a5862beba3be9f39ab
Instruction ID: 95f70b304e3b8e4babe06bed54e488264474bb05e1e5327f60332b5dd5f6564d
Opcode Fuzzy Hash: 03c4772cdb7d6fccc57bfd75d5555ef236f98fe06d2964a5862beba3be9f39ab
Instruction Fuzzy Hash: 5A719861E0864A86F7507B11A720379EB92EB85F98FD48136CACDCB685CF3CE545C722

Function 00007FF7E5E04BDE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7E5E05140: FindResourceA.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E05168
Part of subcall function 00007FF7E5E05140: SizeofResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E05179
Part of subcall function 00007FF7E5E05140: FindResourceA.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E0519F
Part of subcall function 00007FF7E5E05140: LoadResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051B0
Part of subcall function 00007FF7E5E05140: LockResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051BF
Part of subcall function 00007FF7E5E05140: memcpy_s.MSVCRT ref: 00007FF7E5E051DE
Part of subcall function 00007FF7E5E05140: FreeResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051ED

FindResourceA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7E5E04938), ref: 00007FF7E5E04C10
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7E5E04938), ref: 00007FF7E5E04C21
LockResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7E5E04938), ref: 00007FF7E5E04C30
GetDlgItem.USER32 ref: 00007FF7E5E04C5D
ShowWindow.USER32(?,?,?,?,?,?,?,?,00000000,00007FF7E5E04938), ref: 00007FF7E5E04C6E
GetDlgItem.USER32 ref: 00007FF7E5E04C86
ShowWindow.USER32(?,?,?,?,?,?,?,?,00000000,00007FF7E5E04938), ref: 00007FF7E5E04C9A
FreeResource.KERNEL32 ref: 00007FF7E5E04DB1
SendMessageA.USER32 ref: 00007FF7E5E04E13

Strings

CABINET, xrefs: 00007FF7E5E04BED, 00007FF7E5E04C07

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: CABINET
API String ID: 1305606123-1940454314
Opcode ID: 76ef0e94f0549deaf640b9006555d490fc3bb0e5fe2d088055cbb579db64d552
Instruction ID: 827515a9e096d14aaa622efcd9db9e26e4f092d59e44d45502897ee8b8d517c8
Opcode Fuzzy Hash: 76ef0e94f0549deaf640b9006555d490fc3bb0e5fe2d088055cbb579db64d552
Instruction Fuzzy Hash: 62416F71A0874A86FB506B21A765775EA90FF89F49FC48136CA8DCB690CF3CE4458722

Function 00007FF7E5E02590 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 69librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF7E5E025CD
GetProcAddress.KERNEL32 ref: 00007FF7E5E025EF
AllocateAndInitializeSid.ADVAPI32 ref: 00007FF7E5E0263C
FreeSid.ADVAPI32 ref: 00007FF7E5E0266E
FreeLibrary.KERNEL32 ref: 00007FF7E5E0267D

Strings

CheckTokenMembership, xrefs: 00007FF7E5E025E5
advapi32.dll, xrefs: 00007FF7E5E025C0

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: e160c6785fde90a48b04fb9c74fff3393dcd095ced99b921061e37aaea61ca71
Instruction ID: 92afecb741839ede933a3204f5441731badbdf9183c5c0971c876ff8488205bf
Opcode Fuzzy Hash: e160c6785fde90a48b04fb9c74fff3393dcd095ced99b921061e37aaea61ca71
Instruction Fuzzy Hash: 04316132608B498AD7109F16F4542AAFBA0FB89F94F855136EE8E87714DF3CE445CB00

Function 00007FF7E5E033BC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7E5E080FA), ref: 00007FF7E5E033D1
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF7E5E080FA), ref: 00007FF7E5E033EA
LookupPrivilegeValueA.ADVAPI32 ref: 00007FF7E5E0342B
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF7E5E03462
CloseHandle.KERNEL32 ref: 00007FF7E5E03475
ExitWindowsEx.USER32 ref: 00007FF7E5E034A1

Strings

SeShutdownPrivilege, xrefs: 00007FF7E5E03424

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentExitHandleLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 2829607268-3733053543
Opcode ID: 68f57858d0a37f1d9b97d15ccc180e4361d8fc185c2eeebe84e4efed2f4b6a83
Instruction ID: 09369aa830b206fcbb239e4bab67f63d5bbc2e97c7cfd0b87f27ad9f4f0eaeb6
Opcode Fuzzy Hash: 68f57858d0a37f1d9b97d15ccc180e4361d8fc185c2eeebe84e4efed2f4b6a83
Instruction Fuzzy Hash: 9C21D532A1864683F7509F60F56537EFBA0FB89B49F809136DA8E8BA54CF3CD0448B11

Function 00007FF7E5E018E4 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7E5E01914
GetCurrentProcessId.KERNEL32 ref: 00007FF7E5E01922
GetCurrentThreadId.KERNEL32 ref: 00007FF7E5E0192E
GetTickCount.KERNEL32 ref: 00007FF7E5E0193A
GetTickCount.KERNEL32 ref: 00007FF7E5E0194A
QueryPerformanceCounter.KERNEL32 ref: 00007FF7E5E01965

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: a1a8c30bc5a850f7df6bb2e960b2db2709fe8c778fbb0e1b446c87b4c6fef4b3
Instruction ID: 0a066ab698ecfc3370c1ac7e28e57de0c29970b7e79457e8c643d6e0bcb069fc
Opcode Fuzzy Hash: a1a8c30bc5a850f7df6bb2e960b2db2709fe8c778fbb0e1b446c87b4c6fef4b3
Instruction Fuzzy Hash: EC115421604B4586EB40EF70EC552A973A4F748B5CF800A31EAADCB754DF7CD194C350

Function 00007FF7E5E0170E Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7E5E0171B

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 33b5d242f9dae548e22f746f2c14e26181d9d5e8b558b2e26dfd9b2729eaeda7
Instruction ID: 27bc76e58c127330ac8def243e351b886c6ca8241ebb615cc2b29c9793ed0994
Opcode Fuzzy Hash: 33b5d242f9dae548e22f746f2c14e26181d9d5e8b558b2e26dfd9b2729eaeda7
Instruction Fuzzy Hash: D7B024037030C301C10077F00F4404415400F47D307CC1554C314C3F40CC1CD15D0310

Function 00007FF7E5E0499E Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120threadwindowCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32 ref: 00007FF7E5E049F4
ResetEvent.KERNEL32 ref: 00007FF7E5E04A1C
SetEvent.KERNEL32 ref: 00007FF7E5E04A63
GetDesktopWindow.USER32 ref: 00007FF7E5E04AA8
GetDlgItem.USER32 ref: 00007FF7E5E04AD2
SendMessageA.USER32 ref: 00007FF7E5E04AEF
GetDlgItem.USER32 ref: 00007FF7E5E04B00
SendMessageA.USER32 ref: 00007FF7E5E04B1F
SetWindowTextA.USER32 ref: 00007FF7E5E04B35
CreateThread.KERNEL32 ref: 00007FF7E5E04B60
EndDialog.USER32 ref: 00007FF7E5E04BAA

Strings

, xrefs: 00007FF7E5E04A46
Comp, xrefs: 00007FF7E5E04B2B

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: EventItemMessageSendThreadWindow$CreateDesktopDialogResetTerminateText
String ID: $Comp
API String ID: 2654313074-3360895561
Opcode ID: 161ecbf182c25f1165986d72c8c0059cd173de4edb9b55fbd2b049afc53b66ca
Instruction ID: dfe02fe1b88338a96d86122c0d56f172823d750819ac7c7d36b22e0ec959c74f
Opcode Fuzzy Hash: 161ecbf182c25f1165986d72c8c0059cd173de4edb9b55fbd2b049afc53b66ca
Instruction Fuzzy Hash: 23516631D0874686E710BF11EB64379E6A1FB89F59F848132CA9DCB794CF3C94458B22

Function 00007FF7E5E06768 Relevance: 23.2, APIs: 10, Strings: 3, Instructions: 477COMMON

Download Yara Rule

APIs

CharNextA.USER32 ref: 00007FF7E5E067E7
GetModuleFileNameA.KERNEL32 ref: 00007FF7E5E068BB
CharUpperA.USER32 ref: 00007FF7E5E068FE
CharUpperA.USER32 ref: 00007FF7E5E06994
CompareStringA.KERNEL32 ref: 00007FF7E5E06A28
CharUpperA.USER32 ref: 00007FF7E5E06A63
CharUpperA.USER32 ref: 00007FF7E5E06ABF
CharUpperA.USER32 ref: 00007FF7E5E06B5C

Part of subcall function 00007FF7E5E089BC: IsDBCSLeadByte.KERNEL32 ref: 00007FF7E5E089E1
Part of subcall function 00007FF7E5E089BC: CharNextA.USER32 ref: 00007FF7E5E089F9

CloseHandle.KERNEL32 ref: 00007FF7E5E06D89
ExitProcess.KERNEL32 ref: 00007FF7E5E06D97

Strings

RegServer, xrefs: 00007FF7E5E06A19
:, xrefs: 00007FF7E5E06B03
", xrefs: 00007FF7E5E0684E

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Char$Upper$Next$ByteCloseCompareExitFileHandleLeadModuleNameProcessString
String ID: "$:$RegServer
API String ID: 23972181-766454958
Opcode ID: 30a90c34f7cbb46e34736c76c13f057931b7289761545bddfdfb8314716cf64c
Instruction ID: a6a7dd96660e2ff73fccbb652dd921339972abf69b88e7d7e2eb7638eba8a590
Opcode Fuzzy Hash: 30a90c34f7cbb46e34736c76c13f057931b7289761545bddfdfb8314716cf64c
Instruction Fuzzy Hash: 7E12C461E0C68A41EE20AB149674379EBA1AF41F5CFD44137C9DE8E695CE3DE402E722

Function 00007FF7E5E03950 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 141libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF7E5E0397A
GetProcAddress.KERNEL32 ref: 00007FF7E5E0399E
GetProcAddress.KERNEL32 ref: 00007FF7E5E039BE
GetProcAddress.KERNEL32 ref: 00007FF7E5E039E5
GetTempPathA.KERNEL32 ref: 00007FF7E5E03A16
CharPrevA.USER32 ref: 00007FF7E5E03A34
CharPrevA.USER32 ref: 00007FF7E5E03A4E
FreeLibrary.KERNEL32 ref: 00007FF7E5E03B30
FreeLibrary.KERNEL32 ref: 00007FF7E5E03B4C

Strings

SHGetPathFromIDList, xrefs: 00007FF7E5E039DB
SHELL32.DLL, xrefs: 00007FF7E5E03973
SHBrowseForFolder, xrefs: 00007FF7E5E03994

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: a68a2c2134a308fc5224faae6e68b9a8e707b355ac96a450fb768dad26968aab
Instruction ID: d0ef24ab51e4e98450f94edcaf6635d7e53d293f233186ae3debb7fd63458757
Opcode Fuzzy Hash: a68a2c2134a308fc5224faae6e68b9a8e707b355ac96a450fb768dad26968aab
Instruction Fuzzy Hash: 96518421A0978A86EB11AF11AA20379FBA1FB49F98FC45136CACD8B790DF3CD445C711

Function 00007FF7E5E02D34 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 149registryCOMMON

Download Yara Rule

APIs

CharUpperA.USER32 ref: 00007FF7E5E02D7A
CharNextA.USER32 ref: 00007FF7E5E02D8C
CharNextA.USER32 ref: 00007FF7E5E02D9B
GetWindowsDirectoryA.KERNEL32 ref: 00007FF7E5E02DC4
GetSystemDirectoryA.KERNEL32 ref: 00007FF7E5E02DDD
RegOpenKeyExA.ADVAPI32 ref: 00007FF7E5E02E6C
RegQueryValueExA.ADVAPI32 ref: 00007FF7E5E02EA3
ExpandEnvironmentStringsA.KERNEL32 ref: 00007FF7E5E02ECA
RegCloseKey.ADVAPI32 ref: 00007FF7E5E02F2B
GetSystemDirectoryA.KERNEL32 ref: 00007FF7E5E02F42

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 00007FF7E5E02DEE

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: CharDirectory$NextSystem$CloseEnvironmentExpandOpenQueryStringsUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 229715263-2428544900
Opcode ID: 1142a4cd6e006e845246af9bdb5df0897ae5876e42b73e5154f1751647277efe
Instruction ID: ebe81a85937dc468477b3e625b88d1ccb4ff3c66d50349411b7be577cc55676b
Opcode Fuzzy Hash: 1142a4cd6e006e845246af9bdb5df0897ae5876e42b73e5154f1751647277efe
Instruction Fuzzy Hash: D551827260868586EA119F10E5643B9FBA0FB89F88FD45032DA8E8B794DF3CD845C711

Function 00007FF7E5E061E8 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 180memorywindowCOMMON

Download Yara Rule

APIs

LoadStringA.USER32 ref: 00007FF7E5E06278
LocalAlloc.KERNEL32 ref: 00007FF7E5E06379
LocalAlloc.KERNEL32 ref: 00007FF7E5E063AD
MessageBoxA.USER32 ref: 00007FF7E5E062B8

Part of subcall function 00007FF7E5E08AE4: EnumResourceLanguagesA.KERNEL32 ref: 00007FF7E5E08B3C
Part of subcall function 00007FF7E5E08AE4: EnumResourceLanguagesA.KERNEL32 ref: 00007FF7E5E08B7A

LocalAlloc.KERNEL32 ref: 00007FF7E5E06314
MessageBeep.USER32 ref: 00007FF7E5E06419
MessageBoxA.USER32 ref: 00007FF7E5E0645E
LocalFree.KERNEL32 ref: 00007FF7E5E0646F

Part of subcall function 00007FF7E5E08BB4: GetVersionExA.KERNEL32 ref: 00007FF7E5E08C09
Part of subcall function 00007FF7E5E08BB4: GetSystemMetrics.USER32 ref: 00007FF7E5E08C43
Part of subcall function 00007FF7E5E08BB4: RegOpenKeyExA.ADVAPI32 ref: 00007FF7E5E08C78
Part of subcall function 00007FF7E5E08BB4: RegQueryValueExA.ADVAPI32 ref: 00007FF7E5E08CB3
Part of subcall function 00007FF7E5E08BB4: RegCloseKey.ADVAPI32 ref: 00007FF7E5E08CC6
Part of subcall function 00007FF7E5E08BB4: CharNextA.USER32 ref: 00007FF7E5E08D15

Strings

rce., xrefs: 00007FF7E5E06224
Comp, xrefs: 00007FF7E5E062A9, 00007FF7E5E0644A

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Local$AllocMessage$EnumLanguagesResource$BeepCharCloseFreeLoadMetricsNextOpenQueryStringSystemValueVersion
String ID: Comp$rce.
API String ID: 2929476258-2451881752
Opcode ID: 3ed11fbad5beae089dae1fca1131bae79aefec419c72aa5072dd9cc5e96e98b3
Instruction ID: b5201e1d5a8232caf0a7f802c8720bd8ba057079a1241d09918125dad5cf2ee7
Opcode Fuzzy Hash: 3ed11fbad5beae089dae1fca1131bae79aefec419c72aa5072dd9cc5e96e98b3
Instruction Fuzzy Hash: CA71D721E0878986FA51AB25A6203B9E790BF55F5CF845232DECD8B7C1DF3CE4458721

Function 00007FF7E5E0604E Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF7E5E06090
GetDesktopWindow.USER32 ref: 00007FF7E5E060A1
SetDlgItemTextA.USER32 ref: 00007FF7E5E060C7
SetWindowTextA.USER32 ref: 00007FF7E5E060DD
SetForegroundWindow.USER32 ref: 00007FF7E5E060EC
GetDlgItem.USER32 ref: 00007FF7E5E06100
GetWindowLongPtrA.USER32 ref: 00007FF7E5E06117
SetWindowLongPtrA.USER32 ref: 00007FF7E5E06139
SendDlgItemMessageA.USER32 ref: 00007FF7E5E0616A

Strings

Comp, xrefs: 00007FF7E5E060D3

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID: Comp
API String ID: 3785188418-1798881284
Opcode ID: b99bfbc71c6e47e8d2dd802e5a3d49e478e887f1f55d0a3e4aad63706f5b073e
Instruction ID: 50c270c8b6b7e83892e0dbe04c0a5c891ae5d7971909088d2c1d2a7f3e5abd69
Opcode Fuzzy Hash: b99bfbc71c6e47e8d2dd802e5a3d49e478e887f1f55d0a3e4aad63706f5b073e
Instruction Fuzzy Hash: 9C31493090464A86EA106F61A5243B5FB51FB8AF69FC49232C99ECB3D0CF3CA545D722

Function 00007FF7E5E03118 Relevance: 16.6, APIs: 11, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7E5E02590: LoadLibraryA.KERNEL32 ref: 00007FF7E5E025CD
Part of subcall function 00007FF7E5E02590: GetProcAddress.KERNEL32 ref: 00007FF7E5E025EF
Part of subcall function 00007FF7E5E02590: AllocateAndInitializeSid.ADVAPI32 ref: 00007FF7E5E0263C
Part of subcall function 00007FF7E5E02590: FreeSid.ADVAPI32 ref: 00007FF7E5E0266E
Part of subcall function 00007FF7E5E02590: FreeLibrary.KERNEL32 ref: 00007FF7E5E0267D

GetCurrentProcess.KERNEL32 ref: 00007FF7E5E03179
OpenProcessToken.ADVAPI32 ref: 00007FF7E5E0318F
GetTokenInformation.ADVAPI32 ref: 00007FF7E5E031B8
GetLastError.KERNEL32 ref: 00007FF7E5E031CC
LocalAlloc.KERNEL32 ref: 00007FF7E5E031E6
GetTokenInformation.ADVAPI32 ref: 00007FF7E5E03214
AllocateAndInitializeSid.ADVAPI32 ref: 00007FF7E5E03261
EqualSid.ADVAPI32 ref: 00007FF7E5E0328C
FreeSid.ADVAPI32 ref: 00007FF7E5E032B1
LocalFree.KERNEL32 ref: 00007FF7E5E032C0
CloseHandle.KERNEL32 ref: 00007FF7E5E032D0

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: 5aa378a5a02dea733385acf5e55f93e1415a95ae54cf52c9b480b087f5f96856
Instruction ID: 414743ddc9ed97ebd4ae0d605ec56ababe25f8df95a16e045b152891a14a79c7
Opcode Fuzzy Hash: 5aa378a5a02dea733385acf5e55f93e1415a95ae54cf52c9b480b087f5f96856
Instruction Fuzzy Hash: ED514F32604B46CBE710AF21E5A42A9BBA4FB4DF88F815136DA8E9B754DF38D444CB11

Function 00007FF7E5E08BB4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF7E5E08C09
GetSystemMetrics.USER32 ref: 00007FF7E5E08C43
RegOpenKeyExA.ADVAPI32 ref: 00007FF7E5E08C78
RegQueryValueExA.ADVAPI32 ref: 00007FF7E5E08CB3
RegCloseKey.ADVAPI32 ref: 00007FF7E5E08CC6
CharNextA.USER32 ref: 00007FF7E5E08D15

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00007FF7E5E08C6A

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-1109908249
Opcode ID: 79618cbf566f24ba719aea2154ce45ce3ef321f6ac2e06029fa2153c5c1a82fb
Instruction ID: b1abbdcc0fb44189e334dd6753218605f850d7943c624e22f2351e2764aaf134
Opcode Fuzzy Hash: 79618cbf566f24ba719aea2154ce45ce3ef321f6ac2e06029fa2153c5c1a82fb
Instruction Fuzzy Hash: 71510872A086458BE7109F20E5502B8F7A5F755F58F815233CA9E8B784CF7CE405CB52

Function 00007FF7E5E02A10 Relevance: 12.2, APIs: 8, Instructions: 175COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF7E5E02A62
IsDBCSLeadByte.KERNEL32 ref: 00007FF7E5E02A7E
CharNextA.USER32 ref: 00007FF7E5E02AA4
CharUpperA.USER32 ref: 00007FF7E5E02AB7
CharPrevA.USER32 ref: 00007FF7E5E02AF3
CharUpperA.USER32 ref: 00007FF7E5E02B99
CharNextA.USER32 ref: 00007FF7E5E02C3E
CharNextA.USER32 ref: 00007FF7E5E02C50

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Char$Next$Upper$ByteFileLeadModuleNamePrev
String ID:
API String ID: 975904313-0
Opcode ID: aa7ba7297077793f7d626753686711e9c4ffdaff21383c5eed26811cbffd48fb
Instruction ID: 96dda7a94d5f9aeb5f9eda7815c1077a6b30a3790fc91735a39863be5cbd0625
Opcode Fuzzy Hash: aa7ba7297077793f7d626753686711e9c4ffdaff21383c5eed26811cbffd48fb
Instruction Fuzzy Hash: 55719851A0C68945FF616F25D574378EBD1AB49FA8F884172CADE8B3C1CE3C98058722

Function 00007FF7E5E022F0 Relevance: 12.2, APIs: 8, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32 ref: 00007FF7E5E0251A

Part of subcall function 00007FF7E5E02D34: CharUpperA.USER32 ref: 00007FF7E5E02D7A
Part of subcall function 00007FF7E5E02D34: CharNextA.USER32 ref: 00007FF7E5E02D8C
Part of subcall function 00007FF7E5E02D34: CharNextA.USER32 ref: 00007FF7E5E02D9B
Part of subcall function 00007FF7E5E02D34: GetWindowsDirectoryA.KERNEL32 ref: 00007FF7E5E02DC4

GetFileVersionInfoSizeA.VERSION ref: 00007FF7E5E02367
GlobalAlloc.KERNEL32 ref: 00007FF7E5E02386
GlobalLock.KERNEL32 ref: 00007FF7E5E023A1
GetFileVersionInfoA.VERSION ref: 00007FF7E5E023C9
VerQueryValueA.VERSION ref: 00007FF7E5E023EF
GlobalUnlock.KERNEL32 ref: 00007FF7E5E02499
GlobalUnlock.KERNEL32 ref: 00007FF7E5E024B4

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Global$Char$FileInfoNextUnlockVersion$AllocDirectoryFreeLockQuerySizeUpperValueWindows
String ID:
API String ID: 2920131565-0
Opcode ID: e2c6928dca72d3c9787df6f30925460e70e82d21755a383799fca88f808043d4
Instruction ID: 681b525e6a6b2ea6a5d42f3e843991171e1794de81651becc4792fd229b09df6
Opcode Fuzzy Hash: e2c6928dca72d3c9787df6f30925460e70e82d21755a383799fca88f808043d4
Instruction Fuzzy Hash: 7A61B272A0465A8AEB509F15D6642BCB7E1FB04B98F804432DE8D9B784DF38EC41C722

Function 00007FF7E5E03C8C Relevance: 10.6, APIs: 7, Instructions: 100COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E5E0375F), ref: 00007FF7E5E03CBF
GetWindowRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E5E0375F), ref: 00007FF7E5E03CE0
GetDC.USER32 ref: 00007FF7E5E03CFD
GetDeviceCaps.GDI32 ref: 00007FF7E5E03D14
GetDeviceCaps.GDI32 ref: 00007FF7E5E03D2B
ReleaseDC.USER32 ref: 00007FF7E5E03D44
SetWindowPos.USER32 ref: 00007FF7E5E03DB6

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: 6bf25506a061de764c46ff11c3dabc26361253386e945ff23246536f7576ff98
Instruction ID: 4bb302016b752a75e3afd61a3c66ef626f63c70d4a502d91a6966a5972ed4647
Opcode Fuzzy Hash: 6bf25506a061de764c46ff11c3dabc26361253386e945ff23246536f7576ff98
Instruction Fuzzy Hash: A0318C32B206058AE7109F65E914ABDBBA1F74CB99F985132CE4997B44CF38E445CB10

Function 00007FF7E5E04598 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 71memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7E5E05140: FindResourceA.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E05168
Part of subcall function 00007FF7E5E05140: SizeofResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E05179
Part of subcall function 00007FF7E5E05140: FindResourceA.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E0519F
Part of subcall function 00007FF7E5E05140: LoadResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051B0
Part of subcall function 00007FF7E5E05140: LockResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051BF
Part of subcall function 00007FF7E5E05140: memcpy_s.MSVCRT ref: 00007FF7E5E051DE
Part of subcall function 00007FF7E5E05140: FreeResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051ED

LocalAlloc.KERNEL32(?,?,?,?,?,00007FF7E5E04735), ref: 00007FF7E5E045B9
LocalFree.KERNEL32 ref: 00007FF7E5E0463C

Part of subcall function 00007FF7E5E061E8: LoadStringA.USER32 ref: 00007FF7E5E06278
Part of subcall function 00007FF7E5E061E8: MessageBoxA.USER32 ref: 00007FF7E5E062B8

Part of subcall function 00007FF7E5E06590: GetLastError.KERNEL32 ref: 00007FF7E5E06594

lstrcmpA.KERNEL32(?,?,?,?,?,00007FF7E5E04735), ref: 00007FF7E5E04662
LocalFree.KERNEL32(?,?,?,?,?,00007FF7E5E04735), ref: 00007FF7E5E046C3

Part of subcall function 00007FF7E5E064B0: FindResourceA.KERNEL32 ref: 00007FF7E5E064DA
Part of subcall function 00007FF7E5E064B0: LoadResource.KERNEL32 ref: 00007FF7E5E064F1
Part of subcall function 00007FF7E5E064B0: DialogBoxIndirectParamA.USER32 ref: 00007FF7E5E06527
Part of subcall function 00007FF7E5E064B0: FreeResource.KERNEL32 ref: 00007FF7E5E06539

LocalFree.KERNEL32 ref: 00007FF7E5E0469C

Strings

<None>, xrefs: 00007FF7E5E0465B
LICENSE, xrefs: 00007FF7E5E045A1, 00007FF7E5E04604

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
String ID: <None>$LICENSE
API String ID: 2414642746-383193767
Opcode ID: d8f725790712cab8ff229354588275550b10545e7930818d23b6b2a348e3f118
Instruction ID: f8916c9dc1a28d5a0086387251ef2c8162f1dceafb2aa117eb3c41dfb6d3344a
Opcode Fuzzy Hash: d8f725790712cab8ff229354588275550b10545e7930818d23b6b2a348e3f118
Instruction Fuzzy Hash: E2314D31A1960A82F710BF10E734776A660EB85F4DFC05536C98DCE690EF7CE4008B22

Function 00007FF7E5E07BB8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7E5E04FA3), ref: 00007FF7E5E07BEF
LockResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7E5E04FA3), ref: 00007FF7E5E07BFE
FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7E5E04FA3), ref: 00007FF7E5E07C4E
FindResourceA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7E5E04FA3), ref: 00007FF7E5E07C82
FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7E5E04FA3), ref: 00007FF7E5E07C9B

Strings

UPDFILE%lu, xrefs: 00007FF7E5E07C5F

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Resource$Free$FindLoadLock
String ID: UPDFILE%lu
API String ID: 3629466761-2329316264
Opcode ID: d41cb9711b44c5778f8d685044e0478faac0a7e9c0355c6fd43fe1abdcbe4688
Instruction ID: e1f8b108236f4fdef6316f4f0f965ee7125360cd3c29704ebab2a17419328f53
Opcode Fuzzy Hash: d41cb9711b44c5778f8d685044e0478faac0a7e9c0355c6fd43fe1abdcbe4688
Instruction Fuzzy Hash: A2319731A08645C6E714AF15A520279F7A1FF89F54F954236EA9E8B394CF3CE444CB11

Function 00007FF7E5E05140 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E05168
SizeofResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E05179
FindResourceA.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E0519F
LoadResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051B0
LockResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051BF
memcpy_s.MSVCRT ref: 00007FF7E5E051DE
FreeResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051ED

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
String ID:
API String ID: 3370778649-0
Opcode ID: eaca51f8d58b0d414e22daa5353a49b1fbb1179a865c63ac3ffb404108bcea55
Instruction ID: d84d1d5ecfe1c3616fcbe500476ba4b3985e1efc66a27da637649c423595d978
Opcode Fuzzy Hash: eaca51f8d58b0d414e22daa5353a49b1fbb1179a865c63ac3ffb404108bcea55
Instruction Fuzzy Hash: 1D115E31708B4587E7146B62A624239FAA0FB4EFC5B849036DE4ECB744DF3CD4458711

Function 00007FF7E5E03044 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32 ref: 00007FF7E5E03071
WritePrivateProfileStringA.KERNEL32 ref: 00007FF7E5E030A0
_lopen.KERNEL32 ref: 00007FF7E5E030B4
_llseek.KERNEL32 ref: 00007FF7E5E030CF
_lclose.KERNEL32 ref: 00007FF7E5E030DF

Strings

wininit.ini, xrefs: 00007FF7E5E03081

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: 9400fdb6d7a44d6df7f18705ef269f017eb9ad4388b642ce147a901e5ae05de9
Instruction ID: 13dacafef3383b1335c6b9d46210f9138a4c2ec38e70171302f468054755d8b0
Opcode Fuzzy Hash: 9400fdb6d7a44d6df7f18705ef269f017eb9ad4388b642ce147a901e5ae05de9
Instruction Fuzzy Hash: 66112E32608A8587E710AF21E5643AAB7A1FB8DB18F859232DA8EC7654DF3CD545CB10

Function 00007FF7E5E0669E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00007FF7E5E066EC
SetWindowTextA.USER32 ref: 00007FF7E5E0670D
SetDlgItemTextA.USER32 ref: 00007FF7E5E06728
SetForegroundWindow.USER32 ref: 00007FF7E5E06737
EndDialog.USER32 ref: 00007FF7E5E0674A

Strings

Comp, xrefs: 00007FF7E5E06703

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Window$Text$DesktopDialogForegroundItem
String ID: Comp
API String ID: 761066910-1798881284
Opcode ID: d27efb2bfb772949979602fae28f15f48041aa30681c92464f837cb170850190
Instruction ID: 7bb35161432070f87600a62aec840f8921efaa92de03f15eca886c8efc319139
Opcode Fuzzy Hash: d27efb2bfb772949979602fae28f15f48041aa30681c92464f837cb170850190
Instruction Fuzzy Hash: 3F111265A0860A87F6542B25B628374DA51EB4AF59FD89032C88ECF394DF7CE444D722

Function 00007FF7E5E04E34 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7E5E05140: FindResourceA.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E05168
Part of subcall function 00007FF7E5E05140: SizeofResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E05179
Part of subcall function 00007FF7E5E05140: FindResourceA.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E0519F
Part of subcall function 00007FF7E5E05140: LoadResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051B0
Part of subcall function 00007FF7E5E05140: LockResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051BF
Part of subcall function 00007FF7E5E05140: memcpy_s.MSVCRT ref: 00007FF7E5E051DE
Part of subcall function 00007FF7E5E05140: FreeResource.KERNEL32(?,?,0000000A,00007FF7E5E058A6), ref: 00007FF7E5E051ED

LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF7E5E0498A), ref: 00007FF7E5E04E5D
LocalFree.KERNEL32(?,?,?,?,00000000,00007FF7E5E0498A), ref: 00007FF7E5E04EF9

Part of subcall function 00007FF7E5E061E8: LoadStringA.USER32 ref: 00007FF7E5E06278
Part of subcall function 00007FF7E5E061E8: MessageBoxA.USER32 ref: 00007FF7E5E062B8

Strings

<None>, xrefs: 00007FF7E5E04EBD
FINISHMSG, xrefs: 00007FF7E5E04E41, 00007FF7E5E04E94
@, xrefs: 00007FF7E5E04EDF

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
String ID: <None>$@$FINISHMSG
API String ID: 3507850446-4126004490
Opcode ID: 46f6a34e6422b476f92bef806b9afb6e738230eab6fd6dc1f836e9041f14e154
Instruction ID: 6e4259193c41a8cff80e52a8541adff75db677f3113bfdec04aa1733f89177b5
Opcode Fuzzy Hash: 46f6a34e6422b476f92bef806b9afb6e738230eab6fd6dc1f836e9041f14e154
Instruction Fuzzy Hash: 4211A772A0874683FB20AF21E62077AE650EB89B48FC45136DA8DCF685DF3CD5008B11

Function 00007FF7E5E065B8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48libraryCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FF7E5E06630
LoadLibraryExA.KERNEL32 ref: 00007FF7E5E06650
LoadLibraryA.KERNEL32 ref: 00007FF7E5E06665

Strings

advpack.dll, xrefs: 00007FF7E5E06613, 00007FF7E5E0665E
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF7E5E065D6

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: LibraryLoad$AttributesFile
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$advpack.dll
API String ID: 438848745-1955609190
Opcode ID: 963a3f96620efcd57751c6ee7ade2dcdaa22df72e3894113d12d29ba1fba980a
Instruction ID: fe322b07c0e82f2a890c7aca5ce0b24401891deeff6ba5955e39d299bbb1662e
Opcode Fuzzy Hash: 963a3f96620efcd57751c6ee7ade2dcdaa22df72e3894113d12d29ba1fba980a
Instruction Fuzzy Hash: 71115031A1868A85EE21AF10E5613F9B7A0FB99F08FC44233C6CD86691DF3DD509C721

Function 00007FF7E5E036EE Relevance: 7.6, APIs: 5, Instructions: 52windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF7E5E0373A
GetDesktopWindow.USER32 ref: 00007FF7E5E03748
LoadStringA.USER32 ref: 00007FF7E5E03778
SetDlgItemTextA.USER32 ref: 00007FF7E5E03791
MessageBeep.USER32 ref: 00007FF7E5E037A0

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: 65e6fbf51a895507969a40468058746c97c4b6aea9fe2f97e498a7505ce86659
Instruction ID: 6414a4db79cb4cd37274a097ec1357ac6fa17d0f5547e664ffca4221db028244
Opcode Fuzzy Hash: 65e6fbf51a895507969a40468058746c97c4b6aea9fe2f97e498a7505ce86659
Instruction Fuzzy Hash: 61217571A086CA86E6206B21F5643BAE660FB8DF58F884132D9CE8B7D5CF3CD105C761

Function 00007FF7E5E03DF0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 230windowCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF7E5E03E3B
MessageBeep.USER32 ref: 00007FF7E5E04085
MessageBoxA.USER32 ref: 00007FF7E5E040BE

Strings

Comp, xrefs: 00007FF7E5E040AF, 00007FF7E5E040F0

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Message$BeepVersion
String ID: Comp
API String ID: 2519184315-1798881284
Opcode ID: fb4eab478caa6204bae9f5f6a9d13087627c7f1f2c010f1b9df14a39c7a39b7c
Instruction ID: b1dbfa5555cfe01ab1eb6091200d0e54e77c04ee5f1ddf716437861faeeb4ef4
Opcode Fuzzy Hash: fb4eab478caa6204bae9f5f6a9d13087627c7f1f2c010f1b9df14a39c7a39b7c
Instruction Fuzzy Hash: 0CA1C772E1C25A86F764AF15976037AF6A0FB48F58F900137D98DDB294CE3CE8418722

Function 00007FF7E5E06E4F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FF7E5E06EFB
WriteFile.KERNEL32 ref: 00007FF7E5E06F32
CloseHandle.KERNEL32 ref: 00007FF7E5E06F57

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF7E5E06E82

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 1065093856-388467436
Opcode ID: 0e03046e849406695a98d42d2011d6eb0c047299338339c8bc95bd8c917e975f
Instruction ID: bbe44443f65b607d8e2d925013051093d0081a82a431920fbf511659dad136cf
Opcode Fuzzy Hash: 0e03046e849406695a98d42d2011d6eb0c047299338339c8bc95bd8c917e975f
Instruction Fuzzy Hash: DA31853260868586EB119F50E5507BAF760FB49B98F844236DADD8B784CF7CD508CB21

Function 00007FF7E5E07E28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

#20.CABINET ref: 00007FF7E5E07EA1
#21.CABINET ref: 00007FF7E5E07EE0
#23.CABINET ref: 00007FF7E5E07F1A

Strings

*MEMCAB, xrefs: 00007FF7E5E07EBA

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID:
String ID: *MEMCAB
API String ID: 0-3211172518
Opcode ID: d326e7aa94b67cf4d4d3d0379e3d5024a1c04b5e8baa646fa99e55709f362e69
Instruction ID: 5b046ed5600812c04c139c6ab5440cd2821584f0b52867b405fce0f96ea27cd8
Opcode Fuzzy Hash: d326e7aa94b67cf4d4d3d0379e3d5024a1c04b5e8baa646fa99e55709f362e69
Instruction Fuzzy Hash: 50316031A1CF4A85EA40AB10E6643B9B3A0FB44B98F814233D9DC8A390DF7CD445C751

Function 00007FF7E5E02F8C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7E5E0358D), ref: 00007FF7E5E02FBD
RegQueryInfoKeyA.ADVAPI32 ref: 00007FF7E5E03007
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7E5E0358D), ref: 00007FF7E5E03025

Strings

System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 00007FF7E5E02FAF

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: CloseInfoOpenQuery
String ID: System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2142960691-1430103811
Opcode ID: 47349caa1c797a3ce88789d8bb3edd23980ba6ecef902e538d3c134507dba548
Instruction ID: a7f3c5019fc07b749d992f8cf6e724678fbd36d93e9478d8edde9d8bc4bd0cf7
Opcode Fuzzy Hash: 47349caa1c797a3ce88789d8bb3edd23980ba6ecef902e538d3c134507dba548
Instruction Fuzzy Hash: 05110732A18B8587E7109F25F45052AFBA8F789744B945229EBC983B28CB38D0558F00

Function 00007FF7E5E013E0 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7E5E01453
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7E5E01472
RtlVirtualUnwind.KERNEL32 ref: 00007FF7E5E014BF
__raise_securityfailure.LIBCMT ref: 00007FF7E5E015A4

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: 4f65c121b0890e46cb18bda7ebc0f2de684189390e2c9d24e6a7faa72a08dfdf
Instruction ID: c2263ecb4caae676db3d2232d1038b0461426d11c47cbac000220c9c474e3f46
Opcode Fuzzy Hash: 4f65c121b0890e46cb18bda7ebc0f2de684189390e2c9d24e6a7faa72a08dfdf
Instruction Fuzzy Hash: 8841B735A18B0981EA50AB58E9A1365F364FB84B48F905136DACDCB7A4DF3CD445C722

Function 00007FF7E5E0114B Relevance: 6.1, APIs: 4, Instructions: 72sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7E5E018E4: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7E5E01914
Part of subcall function 00007FF7E5E018E4: GetCurrentProcessId.KERNEL32 ref: 00007FF7E5E01922
Part of subcall function 00007FF7E5E018E4: GetCurrentThreadId.KERNEL32 ref: 00007FF7E5E0192E
Part of subcall function 00007FF7E5E018E4: GetTickCount.KERNEL32 ref: 00007FF7E5E0193A
Part of subcall function 00007FF7E5E018E4: GetTickCount.KERNEL32 ref: 00007FF7E5E0194A
Part of subcall function 00007FF7E5E018E4: QueryPerformanceCounter.KERNEL32 ref: 00007FF7E5E01965

GetStartupInfoW.KERNEL32 ref: 00007FF7E5E01185
_amsg_exit.MSVCRT ref: 00007FF7E5E011C0
Sleep.KERNEL32 ref: 00007FF7E5E011CF
_initterm.MSVCRT ref: 00007FF7E5E01267
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF7E5E01294
exit.MSVCRT ref: 00007FF7E5E01330
_cexit.MSVCRT ref: 00007FF7E5E0133F

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_inittermexit
String ID:
API String ID: 1267577977-0
Opcode ID: 67f1339d4cfeb4c52d404ce0f2d4713285857e4fe6d3d857e098854071e4ffab
Instruction ID: 8065b98d88aab8262513c4f53fd588f2ac036e95b557b3e58c54a68ac56331b1
Opcode Fuzzy Hash: 67f1339d4cfeb4c52d404ce0f2d4713285857e4fe6d3d857e098854071e4ffab
Instruction Fuzzy Hash: 91313C2190864A86E618BB21EE71379A3A1EF45B58FD40437DACDCF2A5DE3CE444C722

Function 00007FF7E5E0143B Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7E5E01453
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7E5E01472
RtlVirtualUnwind.KERNEL32 ref: 00007FF7E5E014BF
__raise_securityfailure.LIBCMT ref: 00007FF7E5E015A4

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: 0495dd60c7ced2f9c3233f3fe49d434584880a05317a0e056b8bda12f970aa15
Instruction ID: bc6b87f65131e0efe27774baf4101b94fd305ed80fe139061a385923b6524c9d
Opcode Fuzzy Hash: 0495dd60c7ced2f9c3233f3fe49d434584880a05317a0e056b8bda12f970aa15
Instruction Fuzzy Hash: DE311735608B0581EB10AF58F9A1366F364FB88B48F905136DACD8BBA4DF3CD448C721

Function 00007FF7E5E064B0 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 00007FF7E5E064DA
LoadResource.KERNEL32 ref: 00007FF7E5E064F1
DialogBoxIndirectParamA.USER32 ref: 00007FF7E5E06527
FreeResource.KERNEL32 ref: 00007FF7E5E06539

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 1214682469-0
Opcode ID: f84731171d3fff93161b8d11559f90ff40e31cde7bbef708dcb137f56a2588f9
Instruction ID: 0ede8bed26c46db538c30034f8e02401a2d06c65748c758c87c78ea4f7be1173
Opcode Fuzzy Hash: f84731171d3fff93161b8d11559f90ff40e31cde7bbef708dcb137f56a2588f9
Instruction Fuzzy Hash: 15112131A09B4586EA109F11F514369FA60FB5AFD8F884635EEDD4BB98DF3CD1418B10

Function 00007FF7E5E08914 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

CharPrevA.USER32(?,?,00000000,00007FF7E5E02AD5), ref: 00007FF7E5E08938
CharPrevA.USER32(?,?,00000000,00007FF7E5E02AD5), ref: 00007FF7E5E08954
CharPrevA.USER32(?,?,00000000,00007FF7E5E02AD5), ref: 00007FF7E5E08978
CharNextA.USER32(?,?,00000000,00007FF7E5E02AD5), ref: 00007FF7E5E0898C

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: 02f17945edf2851cb969e6e0e4490fbce2b65d3964085eb94fd71e724a66b365
Instruction ID: 1dd130ada49a07f10d052bd96bae8f2628b8e92fbb66c2931c9a41dcd3587895
Opcode Fuzzy Hash: 02f17945edf2851cb969e6e0e4490fbce2b65d3964085eb94fd71e724a66b365
Instruction Fuzzy Hash: DB11AB6190C68585FF116B22A614339EE91B74AFE4FC85231CADE8B3C5CA7C94418353

Function 00007FF7E5E015B8 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7E5E015C3
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7E5E015E2
RtlVirtualUnwind.KERNEL32 ref: 00007FF7E5E0162F
__raise_securityfailure.LIBCMT ref: 00007FF7E5E016A5

Memory Dump Source

Source File: 00000000.00000002.2943753803.00007FF7E5E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7E5E00000, based on PE: true

Associated: 00000000.00000002.2943730251.00007FF7E5E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943783741.00007FF7E5E09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943810288.00007FF7E5E0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2943833523.00007FF7E5E0E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7e5e00000_file.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: 89b728313985ec8d8bc5760cebbad4f07023fb81a7c1741a44e0131cd2ee41d3
Instruction ID: 19478461060ae4c10cb77330c72ec4c8c2c933e7fbb8ada579ea9ea422eee60b
Opcode Fuzzy Hash: 89b728313985ec8d8bc5760cebbad4f07023fb81a7c1741a44e0131cd2ee41d3
Instruction Fuzzy Hash: D021C535918F4A81E700AB44F9A1369F364FB85B48F900136DACD8BBA4DF7DD045C722

Analysis Process: computerlead.exePID: 7492, Parent PID: 7472COMMON

Execution Graph

Execution Coverage:	15.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	7%
Total number of Nodes:	86
Total number of Limit Nodes:	6

Executed Functions

Function 08B7DDE8 Relevance: 1.7, APIs: 1, Instructions: 164
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 08B7DF53

Memory Dump Source

Source File: 00000001.00000002.2942907195.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b70000_computerlead.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: ad31e634ad0c559589b88713fc13f16ce07a0f30b64c3fe97d0ee51bd05a37f4
Instruction ID: 6943b55f2dbef5729c45ec1e23c3b6532ea459231dcec0048eddc90957def454
Opcode Fuzzy Hash: ad31e634ad0c559589b88713fc13f16ce07a0f30b64c3fe97d0ee51bd05a37f4
Instruction Fuzzy Hash: 5851F47190022ADFDB24CF99C840BDDBBB5BF88710F1484EAE918B7254DB759A85CF90

Function 01807FA0 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(00000000,?,?,?,?,?,?,?,?,018087FF), ref: 0180890F

Memory Dump Source

Source File: 00000001.00000002.2931288288.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1800000_computerlead.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: d3020c1922b1343f55a40d8da56177e3fc4184a17f7c600dee1aa6bec611c191
Instruction ID: 7f04ed3c547ac5d8017ebe3e764bddcdf21749f285e6e9783090c005fd78480f
Opcode Fuzzy Hash: d3020c1922b1343f55a40d8da56177e3fc4184a17f7c600dee1aa6bec611c191
Instruction Fuzzy Hash: 812166718042598FDB00CF9AC884BEEFBF4EF49310F14846AE949A3240D378AA44CFA1

Function 01808890 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(00000000,?,?,?,?,?,?,?,?,018087FF), ref: 0180890F

Memory Dump Source

Source File: 00000001.00000002.2931288288.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1800000_computerlead.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 4caeac09a36bb972149da1f9c760448603e6678e147e9e268e4ae75d5c294695
Instruction ID: 43f77a1c91b44041b72e9abe05ce535330e9c5b91c9742fc580b601ed9f58c51
Opcode Fuzzy Hash: 4caeac09a36bb972149da1f9c760448603e6678e147e9e268e4ae75d5c294695
Instruction Fuzzy Hash: D1214871800259CFDB14DF9AD884BEEBBF4EF49310F14845AE958A7350D7789A44CF61

Function 031B1B81 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 031B1C06

Memory Dump Source

Source File: 00000001.00000002.2931561950.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_31b0000_computerlead.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ee1124ade636343ad85aef8a427cb25c8237d67f4fe72cecfccd28142124058c
Instruction ID: 0ed1c9c534bd2124d85c3204105cfdc9c41a02b9a8ea175aaad38efd21fb3948
Opcode Fuzzy Hash: ee1124ade636343ad85aef8a427cb25c8237d67f4fe72cecfccd28142124058c
Instruction Fuzzy Hash: A3213875D003099FEB10DFAAC985BEEBBF4EF88314F14842AD519A7241CB789644CFA4

Function 0799D6BA Relevance: 1.6, APIs: 1, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0799D74B

Memory Dump Source

Source File: 00000001.00000002.2940502389.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7990000_computerlead.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e8bd022fc7ae04e6eee5e622ce55a3b6142559c32f97fd40d9d9528fc4b13459
Instruction ID: 02b2cc09b90df6db8854899030faaec522d53e1c8c3f0d7f10945a82e144beeb
Opcode Fuzzy Hash: e8bd022fc7ae04e6eee5e622ce55a3b6142559c32f97fd40d9d9528fc4b13459
Instruction Fuzzy Hash: F12136B69047898FDB11CFAAC584BDEBBF4AB49310F14806AE458A7251C3399545CFA1

Function 08B7F9A8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 08B7FA26

Memory Dump Source

Source File: 00000001.00000002.2942907195.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b70000_computerlead.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c6ef12f8b26db13623ea5f6ed90fd3e7b1f1c0d27812c365d7ca2f88a7744d15
Instruction ID: cea573d66d91f3bcc59ed77f5aa7b5df0589586710cd9a8d6cd76cd8845a4024
Opcode Fuzzy Hash: c6ef12f8b26db13623ea5f6ed90fd3e7b1f1c0d27812c365d7ca2f88a7744d15
Instruction Fuzzy Hash: 6A211871D003498FEB10DFAAC4857EEBBF4EF88325F14842AD559A7241DB789944CFA4

Function 031B1B88 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 031B1C06

Memory Dump Source

Source File: 00000001.00000002.2931561950.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_31b0000_computerlead.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 96257be1d8e03ff7ebdd298c75e7ff9489251874a3222728ce2c8d9e6ed2a8fa
Instruction ID: 182a44be4c3eef8c557e8a21a2de6ac548a3a3c020a38c71b6ad7968c0a3b974
Opcode Fuzzy Hash: 96257be1d8e03ff7ebdd298c75e7ff9489251874a3222728ce2c8d9e6ed2a8fa
Instruction Fuzzy Hash: 7D211571D003099FEB10DFAAC585BEEBBF4EF88324F14842AD559A7241DB789944CFA4

Function 031B139A Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 031B1417

Memory Dump Source

Source File: 00000001.00000002.2931561950.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_31b0000_computerlead.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f428ce701f0b240b355688ba5203a838513d5f5dac1d5ff5ed7fd40b83193f9e
Instruction ID: a377d6bb73b4bd129fcdd8f73297358938e43fdb0e063853d61aa8ed50984333
Opcode Fuzzy Hash: f428ce701f0b240b355688ba5203a838513d5f5dac1d5ff5ed7fd40b83193f9e
Instruction Fuzzy Hash: 6F213571C002499FEB10CFAAC981BEEBBF5FF88320F14842AD519A7250CB389554CFA0

Function 031B13A0 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 031B1417

Memory Dump Source

Source File: 00000001.00000002.2931561950.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_31b0000_computerlead.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0fcbe3d5764f41cafc7a0b200f04e3d0173f780fdb36f7c66de0e8724e4f88ba
Instruction ID: 2e5e52f4dd22e8a7890f62b0dd827fa535a1f91a36a4b5f9fc78e5c86e8ba8db
Opcode Fuzzy Hash: 0fcbe3d5764f41cafc7a0b200f04e3d0173f780fdb36f7c66de0e8724e4f88ba
Instruction Fuzzy Hash: 622135718002499FEB10DFAAC841BEEBBF5EF88320F14842AD519A7240C7789950CFA0

Function 0799FB60 Relevance: 1.6, APIs: 1, Instructions: 57injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0799FBF0

Memory Dump Source

Source File: 00000001.00000002.2940502389.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7990000_computerlead.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: cc6e6b52c6625716cebfd55ed1ed3852fcfe287db1b126d09783b7eec4304227
Instruction ID: f79efb8cf988ef8a1767bb410bc0b0e8f39306e1954bacf7d1f92673a2ffaae8
Opcode Fuzzy Hash: cc6e6b52c6625716cebfd55ed1ed3852fcfe287db1b126d09783b7eec4304227
Instruction Fuzzy Hash: 0F2106B190035A9FEF10DFAAC885BDEBBF5FF48314F148429E919A7250C7789940CBA4

Function 07990871 Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 079908E8

Memory Dump Source

Source File: 00000001.00000002.2940502389.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7990000_computerlead.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: c71cd5982d06b9b5ca38a69184e5b9beeb0554044393dacb05636d664596839c
Instruction ID: 638a355e7babbfb277e2400ef5243018d76ec27ebbd055a7617293a27dc4764b
Opcode Fuzzy Hash: c71cd5982d06b9b5ca38a69184e5b9beeb0554044393dacb05636d664596839c
Instruction Fuzzy Hash: 9C2144B1C0066A9BDB14CFAAC5447AEFBB0EF48724F15812AD818A7640D338A944CFA4

Function 08B767C8 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 08B76843

Memory Dump Source

Source File: 00000001.00000002.2942907195.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b70000_computerlead.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 14a0965c96fc5b94a6e4594569a39a9df390c7aec88b10118891f0215773072d
Instruction ID: 76e7b52f849856583f44070b2283f545cb0bf4e560eedf1408fa8eef39cc5950
Opcode Fuzzy Hash: 14a0965c96fc5b94a6e4594569a39a9df390c7aec88b10118891f0215773072d
Instruction Fuzzy Hash: 30213675D002499FDB10CF9AC544BDEBBF4FB48310F10802AE858A7251D3789554CFA1

Function 0799FB5E Relevance: 1.6, APIs: 1, Instructions: 56injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0799FBF0

Memory Dump Source

Source File: 00000001.00000002.2940502389.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7990000_computerlead.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f0bb75d50cae9a7f2a9d7a7aa675c8c5feda9f3cc19e7df626f5341aea81ba2d
Instruction ID: 6f2be5a00ad477ee16d9e06484ae7ce8da24584bbe36f461a5db3eea4842aeae
Opcode Fuzzy Hash: f0bb75d50cae9a7f2a9d7a7aa675c8c5feda9f3cc19e7df626f5341aea81ba2d
Instruction Fuzzy Hash: 6E2122B190035A9FEF10DFA9C985BDEBBF5FF48314F148829E919A7250C7789940CBA4

Function 0799F818 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0799F88E

Memory Dump Source

Source File: 00000001.00000002.2940502389.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7990000_computerlead.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1c299a3d43731fe7a014b7ed285beac4c29e38a3ec951c842ec39edc517e13ae
Instruction ID: d085a83faa2aefe85208a10bbcb6a7a47d571ff057c476a1a3698ea679fa5150
Opcode Fuzzy Hash: 1c299a3d43731fe7a014b7ed285beac4c29e38a3ec951c842ec39edc517e13ae
Instruction Fuzzy Hash: 861156728002499FEF10CFAAC845BDFFBF5EF88324F248819E519A7250C7359554CBA0

Function 07990878 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 079908E8

Memory Dump Source

Source File: 00000001.00000002.2940502389.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7990000_computerlead.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 8353c9e39b9373d0b696a0986166dbe12cf86fe5be72a6ae5be27bc6ca21b0f5
Instruction ID: bf10c984107e4372998e9b775aa1a8bb94aec4a3b94fc0c55a1b8e67e1de5ff4
Opcode Fuzzy Hash: 8353c9e39b9373d0b696a0986166dbe12cf86fe5be72a6ae5be27bc6ca21b0f5
Instruction Fuzzy Hash: 971133B1C0066A9BDB14DF9AC445BAEFBF4EF48724F14812AD818A7240D738A944CFE5

Function 08B767D0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 08B76843

Memory Dump Source

Source File: 00000001.00000002.2942907195.0000000008B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b70000_computerlead.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5c1b1f3d0c3465587897a868bf076ecdd019e44f5a9baf70fb333aad0992cd87
Instruction ID: 7d72f1a8f71c3502baec3483c2e006f5a28e62a95a9e28c537a86625d7ac2837
Opcode Fuzzy Hash: 5c1b1f3d0c3465587897a868bf076ecdd019e44f5a9baf70fb333aad0992cd87
Instruction Fuzzy Hash: D621D3B59006499FDB10CF9AC885BDEFBF4EB48320F10842AE958A7251D378A954CFA5

Function 0799D6D8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0799D74B

Memory Dump Source

Source File: 00000001.00000002.2940502389.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7990000_computerlead.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: aad644eebe5166b0d5db8ba5caea465b22b3904cf5e66e5456a12aa7847da42c
Instruction ID: 5c327a5b001c55903f47b5c5e21cfac4829437bbe458c80a93a20e12c2233098
Opcode Fuzzy Hash: aad644eebe5166b0d5db8ba5caea465b22b3904cf5e66e5456a12aa7847da42c
Instruction Fuzzy Hash: B121E4B59002499FDB10DF9AC985BDEFBF4FF48324F108429E958A7250D378A544CFA5

Function 0799F820 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0799F88E

Memory Dump Source

Source File: 00000001.00000002.2940502389.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7990000_computerlead.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 39dbcdb000e0b7b658f7c742a8f3ac2dc49c62488d212a94bcd1082a21bfda2a
Instruction ID: e1f09ace8191fef2a3544c92b873a78f55367e150cd2ef7fec63ef756793dd3a
Opcode Fuzzy Hash: 39dbcdb000e0b7b658f7c742a8f3ac2dc49c62488d212a94bcd1082a21bfda2a
Instruction Fuzzy Hash: 811126718002499FEF10DFAAC845BDEFBF5EF88324F248819E515A7250C7759550CBA4

Function 01808A18 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000,?,?,?,00000000,?,?,01808850), ref: 01808A90

Memory Dump Source

Source File: 00000001.00000002.2931288288.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1800000_computerlead.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 70c49479595e831dba6958fdd9bab15415b5d1098e69ec13c9ac6702653b5c7e
Instruction ID: e9008439de555fe048031704f5945ab2cf4cbcad6870a011bbee6c8370d98546
Opcode Fuzzy Hash: 70c49479595e831dba6958fdd9bab15415b5d1098e69ec13c9ac6702653b5c7e
Instruction Fuzzy Hash: 8B1144B1C0064A9FDB14CF9AD840B9EFBB4FB49720F10811AD918A7640D334A680CFA1

Function 01807FB8 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000,?,?,?,00000000,?,?,01808850), ref: 01808A90

Memory Dump Source

Source File: 00000001.00000002.2931288288.0000000001800000.00000040.00000800.00020000.00000000.sdmp, Offset: 01800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1800000_computerlead.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: b8c5d29c456dae907703fd00aaba489bbd04dca02ae56cfefe99e073432c41d1
Instruction ID: bbbe715ed981504207e4d1f41b49445b3f3f0ce774b30eb4c16218ad5f33fd36
Opcode Fuzzy Hash: b8c5d29c456dae907703fd00aaba489bbd04dca02ae56cfefe99e073432c41d1
Instruction Fuzzy Hash: DE1142B1C0464A9BDB14CF9AD844B9EFBB4FB49320F10812AD918B3640D374AA80CFA5

Function 031B1DE8 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 031B1E52

Memory Dump Source

Source File: 00000001.00000002.2931561950.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_31b0000_computerlead.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c8f149d5126ef27f6ade96e99866bde5c7d99d8335ac4e72f46446772770049f
Instruction ID: 817bc1b4dd3b3134507fd67bb0df51c9fc1c812aa3f8be893f211b7fa1386c20
Opcode Fuzzy Hash: c8f149d5126ef27f6ade96e99866bde5c7d99d8335ac4e72f46446772770049f
Instruction Fuzzy Hash: 30115B719003498FEB24DFA9C886BEEFBF4EF88324F248429D419A7240CB759940CB94

Function 031B1DF0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 031B1E52

Memory Dump Source

Source File: 00000001.00000002.2931561950.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_31b0000_computerlead.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3c9f6d535cf46d73814070af00c1aa77f2118838cc35e7af7bbef265dcbb8d60
Instruction ID: 225a248a292638069baf9fe9f57810de3bddef1f795dd15d3909b5659dfb4455
Opcode Fuzzy Hash: 3c9f6d535cf46d73814070af00c1aa77f2118838cc35e7af7bbef265dcbb8d60
Instruction Fuzzy Hash: 5F1125719003498FEB10DFAAC845BDEFBF5AF88624F248429D519A7240CB79A944CBA4

Function 031B0128 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 031B220D

Memory Dump Source

Source File: 00000001.00000002.2931561950.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_31b0000_computerlead.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 51c6ee13ff7ebac50e46f4fdf9da2c335deb9cbd966d95b423a1f6227d19a8d9
Instruction ID: a0c44b562a1c26190fa85a7f9a0423a215eac55a21bb5fb35d241e0c893ae9b2
Opcode Fuzzy Hash: 51c6ee13ff7ebac50e46f4fdf9da2c335deb9cbd966d95b423a1f6227d19a8d9
Instruction Fuzzy Hash: 9011F2B58003499FDB10DF9AD885BDEFBF8EB48320F108859E958A7200C375A994CFA5

Function 031B21A9 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 031B220D

Memory Dump Source

Source File: 00000001.00000002.2931561950.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_31b0000_computerlead.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: aa31e77cae00681ad24dcd9c8b364e003768294992bd97eb5711b5d893cb52df
Instruction ID: a1f46b3fcc4e0862e3325f75d1e0878fdb0cd0aa8a82e9a536bc974220fc1592
Opcode Fuzzy Hash: aa31e77cae00681ad24dcd9c8b364e003768294992bd97eb5711b5d893cb52df
Instruction Fuzzy Hash: CF11F2B58002499FDB10CF99D985BDEBBF4EB48310F24845AE558B7250C379A654CFA1

Function 0171D034 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2930789467.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_171d000_computerlead.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c3c6ec46652e2e5af36541349efc6b5518c499590411da4750c9f001be99011
Instruction ID: 5effea209da571f782e755ed26972088911ddb88a2c1f3c41c2ae1b7c4b79f79
Opcode Fuzzy Hash: 6c3c6ec46652e2e5af36541349efc6b5518c499590411da4750c9f001be99011
Instruction Fuzzy Hash: D5212571604204DFDB21DF58C9C8B16FB61FB84314F20C6ADD9094B246C336D446CE61

Function 0171D1EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2930789467.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_171d000_computerlead.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc69c394bbac40071a67975d34eecf997951e241eb4b0c69b4c12a8b4f8a5a7e
Instruction ID: 301c3b0d61e8d0e970df4cad7973ac35ee79df1dc58a3fbcc20b4a7280155d33
Opcode Fuzzy Hash: dc69c394bbac40071a67975d34eecf997951e241eb4b0c69b4c12a8b4f8a5a7e
Instruction Fuzzy Hash: C8213771608300EFDB25DF98D5C8B56FB61FB88324F20C5ADD8094B25AC376D446CEA1

Function 0171D1E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2930789467.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_171d000_computerlead.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
Instruction ID: 8b95e46a9369d1ba24196dcfe28a258257ad3e4c3c89dbb63c836f5a0edecbdf
Opcode Fuzzy Hash: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
Instruction Fuzzy Hash: 2911BB75508280CFCB16CF58D5C4B55FBA2FB88224F24C6A9D8094B65AC33AD40ACFA1

Function 0171D02F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2930789467.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_171d000_computerlead.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
Instruction ID: 9d162ae8032268b5df4850006f61b98447c9363c8627c55c5eee8f6480ec396b
Opcode Fuzzy Hash: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
Instruction Fuzzy Hash: A711BE75504244CFCB12CF58C5C4B15FB61FB44314F24C6A9D8494B656C33AD44ACF61

Function 0170D7B1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2930753067.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_170d000_computerlead.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248a3ea8ce8762fd81a5b15678d565d794449d4e07c2d723c42e1baf18e62792
Instruction ID: 8a2d37a6901326198005f319af5d99af64f0cbd4dc5525f2072ac5f0b7900efe
Opcode Fuzzy Hash: 248a3ea8ce8762fd81a5b15678d565d794449d4e07c2d723c42e1baf18e62792
Instruction Fuzzy Hash: 6101A771404345DAE7324AD9CD84767FFD8EF45324F18C55AEE094A2C2D2799445C6B1

Function 0170D7B0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2930753067.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_170d000_computerlead.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c55ac16430cf214470339b675c71569def45e315b1255db788f787951a1dc5
Instruction ID: 680fe44e0543c29487c28ca0ed75023f73c2b0ae1312a3420bd5ac5bc8be7032
Opcode Fuzzy Hash: 94c55ac16430cf214470339b675c71569def45e315b1255db788f787951a1dc5
Instruction Fuzzy Hash: C8F062714453449AE7218A5ADDC4B62FFD8EF41624F18C45AED4C4F2C6D2799844CAB1

Analysis Process: fontdrvhost.exePID: 7916, Parent PID: 6320COMMON

Executed Functions

Function 003B02D8 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 169memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000000,?,?), ref: 003B0326

Part of subcall function 003B00A4: VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 003B00CD
Part of subcall function 003B00A4: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 003B0279

VirtualAlloc.KERNELBASE(00000000,00400000,00001000,00000004), ref: 003B0378
VirtualProtect.KERNELBASE(0000002C,?,00000040,?), ref: 003B03E7
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 003B0407
MapViewOfFile.KERNELBASE(?,00000004,00000000,00000000,00000000), ref: 003B042E
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 003B0456
CloseHandle.KERNELBASE(?), ref: 003B0471

Strings

,, xrefs: 003B0356

Memory Dump Source

Source File: 00000012.00000003.2942125599.00000000003B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_3b0000_fontdrvhost.jbxd

Similarity

API ID: Virtual$Alloc$Free$CloseFileHandleProtectView
String ID: ,
API String ID: 3867569247-3772416878
Opcode ID: 35eb397ea14406336b01ea38f36e06f8461e94550e7b98cd084062937234d485
Instruction ID: 1c9d4f5e4ade5c3b40a3ae19ab8db31b381e6b41bcd68358aaa8345c081742c2
Opcode Fuzzy Hash: 35eb397ea14406336b01ea38f36e06f8461e94550e7b98cd084062937234d485
Instruction Fuzzy Hash: 58611BB5900209EFDB25DFA9C985ADEBBB8FF08354F14851AFA59A7640D730E940CF60

Function 003B00A4 Relevance: 2.7, APIs: 2, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00001012,00001000,00000004), ref: 003B00CD
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 003B0279

Memory Dump Source

Source File: 00000012.00000003.2942125599.00000000003B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_3b0000_fontdrvhost.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction ID: 0bd7b0c051b2dcb398ab0b6f281a8ee4e8c4a9cb9bf81def1b0ce3eef05600f4
Opcode Fuzzy Hash: 7dc8e79fde86babc96161718fc4e5f80a5398d7d893a888eaa0e52eee754c683
Instruction Fuzzy Hash: F771BC71E04249DFCB4ACF98C985BEEBBF0AF08318F244495E561FB641C234AA85DF64

Non-executed Functions

Function 003B0283 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000003.2942125599.00000000003B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 003B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_3b0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
Instruction ID: 6308e2aa110c7a6b6384c50dd125ec815ad1bd154548ed83b13553b283834439
Opcode Fuzzy Hash: d558d006f42668ff0cb3938fe5626bc0e09627662ae6e14989234e2d35bd114b
Instruction Fuzzy Hash: 7DF0A979A012009F8B2ACF09C5488D6B7B6EB90728B2649A5D504AF661D3B1ED88CB60

Analysis Process: fontdrvhost.exePID: 8124, Parent PID: 6320COMMON

Execution Graph

Execution Coverage:	33.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	83.3%
Total number of Nodes:	24
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000001BE066E1CF4 Relevance: 3.3, APIs: 2, Instructions: 278
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAcceptConnectPort.NTDLL ref: 000001BE066E1F92
CloseHandle.KERNELBASE ref: 000001BE066E1F9B

Memory Dump Source

Source File: 00000016.00000002.3129592218.000001BE066E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001BE066E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1be066e0000_fontdrvhost.jbxd

Similarity

API ID: AcceptCloseConnectHandlePort
String ID:
API String ID: 3811980168-0
Opcode ID: 8de21919ba4e7da2ec8babe99db5fa309179d4a6fc20011960c2bc0dbfe1bd07
Instruction ID: 4040db794e2186e829ae5d95e18e1e5a2ee9ba238aca2123ad7e77768fc7019f
Opcode Fuzzy Hash: 8de21919ba4e7da2ec8babe99db5fa309179d4a6fc20011960c2bc0dbfe1bd07
Instruction Fuzzy Hash: BB91A930608E088FD765EF1CD4457E5B3E1FB96310F24465EF49BC729AEBB4A9428B81

Function 000001BE066E0AC8 Relevance: 3.2, APIs: 2, Instructions: 185
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAcceptConnectPort.NTDLL ref: 000001BE066E0C14
NtAcceptConnectPort.NTDLL ref: 000001BE066E0C5E

Memory Dump Source

Source File: 00000016.00000002.3129592218.000001BE066E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001BE066E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1be066e0000_fontdrvhost.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: edb00cfd68506d9e2dba1711408e29722439e3f5d75e8330a2fbe30d3ffa3586
Instruction ID: b8570472d2c9c6ede7dc043367330e12df8942593c3e99726e5fbaa824c146f0
Opcode Fuzzy Hash: edb00cfd68506d9e2dba1711408e29722439e3f5d75e8330a2fbe30d3ffa3586
Instruction Fuzzy Hash: A1512430A18A150EE32CB738A8953F9B7D0F782705F34059EF0E3C5197EBA5C5468A82

Function 000001BE066E1AA4 Relevance: 3.2, APIs: 2, Instructions: 150
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAcceptConnectPort.NTDLL ref: 000001BE066E1AE9

Part of subcall function 000001BE066E1870: GetProcessMitigationPolicy.KERNELBASE ref: 000001BE066E1943

NtAcceptConnectPort.NTDLL ref: 000001BE066E1BE3

Memory Dump Source

Source File: 00000016.00000002.3129592218.000001BE066E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001BE066E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1be066e0000_fontdrvhost.jbxd

Similarity

API ID: AcceptConnectPort$MitigationPolicyProcess
String ID:
API String ID: 2923266908-0
Opcode ID: 37ffde8be01af1a53292e533ef779818db057a4d2febe365c0e37f81bdd73f96
Instruction ID: a5b3ed2bf3029cc4779908b2f657c784a04cbf21265cf44adabc501b9c72030c
Opcode Fuzzy Hash: 37ffde8be01af1a53292e533ef779818db057a4d2febe365c0e37f81bdd73f96
Instruction Fuzzy Hash: EC41F430208B488FDB44EF2C98897D57BD1EB56320F1443AEE85ACB2D7DB74C9498B95

Function 000001BE066E15C0 Relevance: 1.6, APIs: 1, Instructions: 76
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAcceptConnectPort.NTDLL(?,?,?,?,?,?,?,?,00000000,000001BE066E1E3A), ref: 000001BE066E1654

Memory Dump Source

Source File: 00000016.00000002.3129592218.000001BE066E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001BE066E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1be066e0000_fontdrvhost.jbxd

Similarity

API ID: AcceptConnectPort
String ID:
API String ID: 1658770261-0
Opcode ID: 31ad342f5252e0eae0e69cb0d148a17bac8dd2f383a05ec1edad7c50bb2dab19
Instruction ID: 3b3ae7dea9d991a22db6a409f84dc1e8f946c176c0d360bacd219ce187a1bd1f
Opcode Fuzzy Hash: 31ad342f5252e0eae0e69cb0d148a17bac8dd2f383a05ec1edad7c50bb2dab19
Instruction Fuzzy Hash: 65215171608B088FDB58DF18C4C9AAAF7E1FB6A305F140A6EF44AC7260D731D489CB41

Function 000001BE066E1870 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessMitigationPolicy.KERNELBASE ref: 000001BE066E1943

Memory Dump Source

Source File: 00000016.00000002.3129592218.000001BE066E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001BE066E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1be066e0000_fontdrvhost.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: 99997b7cfe94d00fabebebec2ac1473308d63281a908fb467bb5077a366d1b6f
Instruction ID: 354b386b90435c54861621087d28ab4731024a688b685913cb6953d625416645
Opcode Fuzzy Hash: 99997b7cfe94d00fabebebec2ac1473308d63281a908fb467bb5077a366d1b6f
Instruction Fuzzy Hash: B831A530300A074EEBA5B768E4947F1B2D0EB96312F2411B9F015D71D9EBB5C949DB60

Non-executed Functions

Function 000001BE066E0511 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3129592218.000001BE066E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001BE066E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1be066e0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 247c94ababd4710b0196191072c8bbb5758b71c13019f7a788401a9348e82e18
Instruction ID: 1684949b0e2b346c4f6e13502068689c61c9b2d028cdf62c4328b71d82623ec0
Opcode Fuzzy Hash: 247c94ababd4710b0196191072c8bbb5758b71c13019f7a788401a9348e82e18
Instruction Fuzzy Hash: CFB01130E2AA00C2E3880E0AB8023A0F2B2C30B300F02B2322002F3220CA28CC08028F

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Rhadamanthys

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_fontdrvhost.exe_d32c824e8915b30da4efd4eabd13e74e4ef8c1_ad0be647_0617501e-f2e0-4753-97d1-6002f83486ad\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER837D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER83BC.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER83EC.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\computerlead.exe.log

C:\Users\user\AppData\Local\Temp\IXP000.TMP\computerlead.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Windows Analysis Report
file.exe

Function 00007FF7E5E0721C Relevance: 54.6, APIs: 17, Strings: 14, Instructions: 372
libraryloaderCOMMON

Function 00007FF7E5E01A08 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 181
registrylibrarymemoryCOMMON

Function 00007FF7E5E01D28 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 373
memoryCOMMON

Function 00007FF7E5E0521C Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 299
memorystringCOMMON

Function 00007FF7E5E05810 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 183
synchronizationCOMMON

Function 00007FF7E5E05B50 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 218
COMMON

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre